Search the Community
Showing results for tags 'impersonation'.
-
This project is a PoC code to use Pass-the-Hash for authentication on a local Named Pipe user Impersonation. There also is a blog post for an explanation. It is heavily based on the code from the projects Invoke-SMBExec.ps1 and RoguePotato. I faced certain Offensive Security project situations in the past, where I already had the NTLM-Hash of a low-privileged user account and needed a shell for that user on the current compromised system – but that was not possible with the current public tools. Imagine two more facts for a situation like that – the NTLM Hash could not be cracked and there is no process of the victim user to execute shellcode in it or to migrate into that process. This may sound like an absurd edge case for some of you. I still experienced that multiple times. Not only in one engagement I spend a lot of time searching for the right tool/technique in that specific situation. My personal goals for a tool/technique were: Fully featured shell or C2-connection as the victim user-account It must to able to also Impersonate low privileged accounts – depending on engagement goals it might be needed to access a system with a specific user such as the CEO, HR-accounts, SAP-administrators, or others The tool can be used as C2-module [hide][Hidden Content]]
-
- 1
-
- namedpipepth:
- pass
-
(and 7 more)
Tagged with:
-
The VMX process (vmware-vmx.exe) process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon (vmware-authd.exe) which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access. Unfortunately the process is created as the desktop user and follows the common pattern of impersonating the user while calling CreateProcessAsUser. This is an issue as the user has the ability to replace any drive letter for themselves, which allows a non-admin user to hijack the path to the VMX executable, allowing the user to get arbitrary code running as a trusted VMX process. Affects VMware Workstation Windows version 14.1.5 (on Windows 10). Also tested on VMware Player version 15.0.2. View the full article
-
An impersonation issue in BMC Remedy version 7.1 may lead to incorrect user context in Remedy AR System Server. View the full article