# Intro - One of the best privesc vesctors is the processes that are running on the system - Even if a process is not running as an administrator, it may lead to additional privs - The most common example is discovering a web server like IIS or XAMPP running on the box, placing an `aspx/php` shell on the box, and gaining a shell as the user running the web server - Generally, this is not an administrator but will often have the `SeImpersonate` token, allowing for `Rogue/Juicy/Lonely Potato` to provide SYSTEM permission - In Windows, [access tokens](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens) are used to describe the security context (security attributes or rules) of a process or thread - The token includes information about the user account's identity and privs related to a specific process or thread # Enum Network Services - Display active connections - Look for entries listening on loopback addresses (`127.0.0.1` and `::1`) that are not listening on the IP Address or broadcast (`0.0.0.0`, `::/0`). ```cmd netstat -ano ``` # Named Pipes - Another way in which processes communicate with one another is through named pipes - Pipes are essentially files stored in memory that get cleared out after being read - As an example, Cobalt Strike uses Named Pipes for every command (excluding [BOF](https://www.cobaltstrike.com/help-beacon-object-files)) - Essentially the workflow looks like this: 1. Beacon starts a named pipe of \.\pipe\msagent_12 2. Beacon starts a new process and injects command into that process directing output to \.\pipe\msagent_12 3. Server displays what was written into \.\pipe\msagent_12 - Pipes are used for communication between two apps or processes using shared memory - There are two types of pipes, [named pipes](https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes) and anonymous pipes - An example of a named pipe is `\\.\PipeName\\ExampleNamedPipeServer` - List name pipes using `pipelist.exe` ```cmd pipelist.exe /accepteula ``` - List named pipes with Powershell's `Get-ChildItem` cmdlet ```powershell gci \\.\pipe\ ``` - Review LSASS named pipe perms using [Accesschk](https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk) ```cmd accesschk.exe /accepteula \\.\Pipe\lsass -v ``` # Named Pipe Attack - Below is an example privesc that takes advantage of an exposed named pipe: [WindscribeService Named Pipe Privilege Escalation](https://www.exploit-db.com/exploits/48021)  - In this example, we can search for all named pipes that allow write access with `accesschk.exe -w \pipe\* -v` and notice that the `WindscribeService` named pipe allows `READ` and `WRITE` access to the `Everyone` groups - From here, we could leverage these weak perms to privesc to SYSTEM ```cmd C:\htb> accesschk.exe -accepteula -w \pipe\WindscribeService -v Accesschk v6.13 - Reports effective permissions for securable objects Copyright ⌐ 2006-2020 Mark Russinovich Sysinternals - www.sysinternals.com \\.\Pipe\WindscribeService Medium Mandatory Level (Default) [No-Write-Up] RW Everyone FILE_ALL_ACCESS ``` --- # Exercise - enumerate named pipes ```powershell gci \\.\pipe\ ``` ![[images/Pasted image 20260217200844.png]] - Download `AccessChk.exe` on Kali - [AccessChk - Sysinternals | Microsoft Learn](https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk) - Serve up `.exe` from Kali and pull down with `iwr` ![[images/Pasted image 20260217201441.png]]![[images/Pasted image 20260217201621.png]] - use `accesschk.exe` to enumerate ` \pipe\SQLLocal\SQLEXPRESS01` ![[images/Pasted image 20260217202020.png]]