Windows Privelege Escalation via Token Kidnapping
If you have access to a box as
nt authority\network service (for example you’ve managed to upload ASP.NET shell) you can easily elevate your privileges on the box.
I’m against uploading binaries to the boxes (but still, it’s my favourite part), but as I know there’s no metasploit module for that so we have no choice. You can download the exploit here and compile by yourself or you can use the one from
sqlninja which is located at
/usr/share/sqlninja/apps/churrasco.exe. It’s used by
sqlninja in cases when we bruteforced
After uploading you can easily elevate your privileges (I tested it on Windows Server 2003). By entering:
churrasco.bin "net user oscp oscp /add && net localgroup Administrators oscp /add"
you can create admin account successfully.
You can read about this vulnerability on Microsoft website
This security update is rated Important for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.