Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ Elevationstation - Elevate To SYSTEM Any Way We Can! Metasploit And PSEXEC Getsystem Alternative

๐Ÿ  Team IT Security News ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security

๐Ÿ“š Elevationstation - Elevate To SYSTEM Any Way We Can! Metasploit And PSEXEC Getsystem Alternative

๐Ÿ’ก Newskategorie: IT Security Nachrichten
๐Ÿ”— Quelle:

Elevation Station

Stealing and Duplicating SYSTEM tokens for fun & profit! We duplicate things, make twin copies, and then ride away.

You have used Metasploit's getsystem and SysInternals PSEXEC for getting system privs, correct? Well, here's a similar standalone version of that...but without the AV least for now ๏˜ธ

This tool also enables you to become TrustedInstaller, similar to what Process Hacker/System Informer can do. This functionality is very new and added in the latest code release and binary release as of 8/12/2023!

๏’ต๏’ฒIf you like this tool and would like to help support me in my efforts improving this solution and others like it, please feel free to hit me up on Patreon!

quick rundown on commands

Bypass UAC and escalate from medium integrity to high (must be member of local admin group)

Become Trusted Installer!

Duplicate Process Escalation Method

Duplicate Thread Escalation Method

Named Pipes Escalation method

Create Remote Thread injection method

What it does

ElevationStation is a privilege escalation tool. It works by borrowing from commonly used escalation techniques involving manipulating/duplicating process and thread tokens.

Why reinvent the wheel with yet another privilege escalation utility?

This was a combined effort between avoiding AV alerts using Metasploit and furthering my research into privilege escalation methods using tokens. In brief: My main goal here was to learn about token management and manipulation, and to effectively bypass AV. I knew there were other tools out there to achieve privilege escalation using token manip but I wanted to learn for myself how it all works.

So...How does it work?

Looking through the terribly organized code, you'll see I used two primary methods to get SYSTEM so far; stealing a Primary token from a SYSTEM level process, and stealing an Impersonation thread token to convert to a primary token from another SYSTEM level process. That's the general approach at least.

CreateProcessAsUser versus CreateProcessWithToken

This was another driving force behind furthering my research. Unless one resorts to using named pipes for escalation, or inject a dll into a system level process, I couldn't see an easy way to spawn a SYSTEM shell within the same console AND meet token privilege requirements.

Let me explain...

When using CreateProcessWithToken, it ALWAYS spawns a separate cmd shell. As best that I can tell, this "bug" is unavoidable. It is unfortunate, because CreateProcessWithToken doesn't demand much as far as token privileges are concerned. Yet, if you want a shell with this Windows API you're going to have to resort to dealing with a new SYSTEM shell in a separate window

That leads us to CreateProcessAsUser. I knew this would spawn a shell within the current shell, but I needed to find a way to achieve this without resorting to using a windows service to meet the token privilege requirements, namely:

  • SE_ASSIGNPRIMARYTOKEN_NAME TEXT("SeAssignPrimaryTokenPrivilege")
  • SE_INCREASE_QUOTA_NAME TEXT("SeIncreaseQuotaPrivilege")

I found a way around that...stealing tokens from SYSTEM process threads :) We duplicate the thread IMPERSONATION token, set the thread token, and then convert it to primary and then re-run our enable privileges function. This time, the enabling of the two privileges above succeeds and we are presented with a shell within the same console using CreateProcessAsUser. No dll injections, no named pipe impersonations, just token manipulation/duplication.


This has come a long way so far...and I'll keep adding to it and cleaning up the code as time permits me to do so. Thanks for all the support and testing!


๐Ÿ“Œ SharpRDP - PSExec without PSExec, PSRemoting without PowerShell, (Wed, Mar 10th)

๐Ÿ“ˆ 56.41 Punkte

๐Ÿ“Œ 'GetSystem' with Empire 1.5

๐Ÿ“ˆ 32.07 Punkte

๐Ÿ“Œ 'GetSystem' with Empire 1.5

๐Ÿ“ˆ 32.07 Punkte

๐Ÿ“Œ Richard Stallman: "The developers of Linux, or any free program, can remove any and all code, at any time, without giving a reason"

๐Ÿ“ˆ 31.36 Punkte

๐Ÿ“Œ Using Credentials to Own Windows Boxes - Part 2 (PSExec and Services)

๐Ÿ“ˆ 30.11 Punkte

๐Ÿ“Œ Windows PsExec zero-day vulnerability gets a free micropatch

๐Ÿ“ˆ 28.21 Punkte

๐Ÿ“Œ Microsoft Sysinternals PsExec Local Privilege Escalation [CVE-2021-1733]

๐Ÿ“ˆ 28.21 Punkte

๐Ÿ“Œ Microsoft fixes Windows PSExec privilege elevation vulnerability

๐Ÿ“ˆ 28.21 Punkte

๐Ÿ“Œ New PsExec spinoff lets hackers bypass network security defenses

๐Ÿ“ˆ 28.21 Punkte

๐Ÿ“Œ Windows Red Team Lateral Movement Techniques - PsExec & RDP

๐Ÿ“ˆ 28.21 Punkte

๐Ÿ“Œ Can any one tell me how to block torrent traffic using pfsense, or any other system.

๐Ÿ“ˆ 25.89 Punkte

๐Ÿ“Œ Visual Studio Code: How Microsoft's 'any OS, any programming language, any software' plan is paying off

๐Ÿ“ˆ 24.76 Punkte

๐Ÿ“Œ Any way of running *any* distro on an Xbox One S?

๐Ÿ“ˆ 24.56 Punkte

๐Ÿ“Œ I only use 4 or 5 application like gimp ink space vlc Firefox i there any way to install linux without any other apps

๐Ÿ“ˆ 24.56 Punkte

๐Ÿ“Œ any way to set max cpu usage for any process?

๐Ÿ“ˆ 24.56 Punkte

๐Ÿ“Œ New way to reverse engineer any software or firmware of any architecture, compleatly free, leave a feedback here or direcly in the website

๐Ÿ“ˆ 24.56 Punkte

๐Ÿ“Œ Metasploit Filesystem and Libraries | Metasploit Tutorials

๐Ÿ“ˆ 23.96 Punkte

๐Ÿ“Œ Metasploit Basics, Part 5: Using Metasploit for Reconnaissance (nmap, EternalBlue, SCADA, and MS SQL Server)

๐Ÿ“ˆ 23.96 Punkte

๐Ÿ“Œ Metasploit Basics: Installing Metasploit 5 into Kali 2018 and New Features

๐Ÿ“ˆ 23.96 Punkte

๐Ÿ“Œ Metasploit Modules and Locations | Metasploit Tutorials

๐Ÿ“ˆ 23.96 Punkte

๐Ÿ“Œ Metasploit Modules and Locations | Metasploit Tutorials

๐Ÿ“ˆ 23.96 Punkte

๐Ÿ“Œ Metasploit Object Model, Mixins and Plugins | Metasploit Tutorials

๐Ÿ“ˆ 23.96 Punkte

๐Ÿ“Œ This AI chatbot can sum up any PDF and any question you have about it

๐Ÿ“ˆ 23.11 Punkte

๐Ÿ“Œ Is there any way I can dual boot windows and Ubuntu FROM Ubuntu?

๐Ÿ“ˆ 22.91 Punkte

๐Ÿ“Œ BaseQuery - A Way To Organize Public Combo-Lists And Leaks In A Way That You Can Easily Search Through Everything

๐Ÿ“ˆ 22.71 Punkte