PrivKit – Simple Beacon Object File That Detects Privilege Escalation Vulnerabilities Caused By Misconfigurations On Windows OS

August 3, 2023

eb7bb5e5dea4685061b4b34c0549fab932e42c6ff99346f993615e45968d017a


PrivKit is a simple beacon object file that detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS.


PrivKit detects following misconfigurations

 Checks for Unquoted Service Paths
 Checks for Autologon Registry Keys
 Checks for Always Install Elevated Registry Keys
 Checks for Modifiable Autoruns
 Checks for Hijackable Paths
 Enumerates Credentials From Credential Manager
 Looks for current Token Privileges

Usage

[03/20 00:51:06] beacon> privcheck
[03/20 00:51:06] [*] Priv Esc Check Bof by @merterpreter
[03/20 00:51:06] [*] Checking For Unquoted Service Paths..
[03/20 00:51:06] [*] Checking For Autologon Registry Keys..
[03/20 00:51:06] [*] Checking For Always Install Elevated Registry Keys..
[03/20 00:51:06] [*] Checking For Modifiable Autoruns..
[03/20 00:51:06] [*] Checking For Hijackable Paths..
[03/20 00:51:06] [*] Enumerating Credentials From Credential Manager..
[03/20 00:51:06] [*] Checking For Token Privileges..
[03/20 00:51:06] [+] host called home, sent: 10485 bytes
[03/20 00:51:06] [+] received output:
Unquoted Service Path Check Result: Vulnerable service path found: c:\program files (x86)\grasssoft\macro expert\MacroService.exe

Simply load the cna file and type “privcheck”
If you want to compile by yourself you can use:
make all
or
x86_64-w64-mingw32-gcc -c cfile.c -o ofile.o

If you want to look for just one misconf you can use object file with “inline-execute” for example
inline-execute /path/tokenprivileges.o

7c5fd7be614dd209a1141d235f25f7a6133b405fe6f5005fbead44db3021d4b3

76254106c09c41497054532c0bf1ead527032f284563d4b89eb09cf6ab7420a3

Acknowledgement

Mr.Un1K0d3r – Offensive Coding Portal
https://mr.un1k0d3r.world/portal/

Outflank – C2-Tool-Collection
https://github.com/outflanknl/C2-Tool-Collection

dtmsecurity – Beacon Object File (BOF) Creation Helper
https://github.com/dtmsecurity/bof_helper

Microsoft 🙂
https://learn.microsoft.com/en-us/windows/win32/api/

HsTechDocs by HelpSystems(Fortra)
https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/beacon-object-files_how-to-develop.htm



A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

Tags: , , , ,

You may have missed

Sliver C2

Sliver C2 Detected – 45[.]55[.]51[.]117:31337

May 1, 2024
Sliver C2

Sliver C2 Detected – 89[.]221[.]225[.]207:31337

May 1, 2024
Sliver C2

Sliver C2 Detected – 8[.]222[.]253[.]149:31337

May 1, 2024
Sliver C2

Sliver C2 Detected – 144[.]34[.]250[.]208:31337

May 1, 2024
Sliver C2

Sliver C2 Detected – 43[.]138[.]184[.]91:31337

May 1, 2024