{"id":12907,"date":"2021-05-20T17:46:29","date_gmt":"2021-05-20T12:16:29","guid":{"rendered":"https:\/\/kalilinuxtutorials.com\/?p=12907"},"modified":"2021-05-20T17:46:29","modified_gmt":"2021-05-20T12:16:29","slug":"priv2admin","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/priv2admin\/","title":{"rendered":"Priv2Admin : Exploitation Paths Allowing You To (Mis)Use The Windows Privileges"},"content":{"rendered":"\n<p><strong>Priv2Admin <\/strong>idea is to &#8220;translate&#8221; Windows OS privileges to a path leading to:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>administrator,<\/li><li>integrity and\/or confidentiality threat,<\/li><li>availability threat,<\/li><li>just a mess.<\/li><\/ul>\n\n\n\n<p>Privileges are listed and explained at:&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/secauthz\/privilege-constants\">https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/secauthz\/privilege-constants<\/a><\/p>\n\n\n\n<p>If the goal can be achieved multiple ways, the priority is<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Using built-in commands<\/li><li>Using PowerShell (only if a working script exists)<\/li><li>Using non-OS tools<\/li><li>Using any other method<\/li><\/ul>\n\n\n\n<p>You can check your own privileges with&nbsp;<code>whoami \/priv<\/code>. Disabled privileges are as good as enabled ones. The only important thing is if you have the privilege on the list or not.<\/p>\n\n\n\n<p class=\"has-luminous-vivid-amber-background-color has-background\"><strong>Note 1:<\/strong>&nbsp;Whenever the attack path ends with a token creation, you can assume the next step is to create new process using such token and then take control over OS.<\/p>\n\n\n\n<p class=\"has-luminous-vivid-amber-background-color has-background\"><strong>Note 2:<\/strong><br><strong>a.<\/strong>&nbsp;For calling&nbsp;<code>NtQuerySystemInformation()<\/code>\/<code>ZwQuerySystemInformation()<\/code>&nbsp;directly, you can find required privileges&nbsp;<a href=\"https:\/\/github.com\/gtworek\/Priv2Admin\/blob\/master\/NtQuerySystemInformation.md\">here<\/a>.<br><strong>b.<\/strong>&nbsp;For&nbsp;<code>NtSetSystemInformation()<\/code>\/<code>ZwSetSystemInformation()<\/code>&nbsp;required privileges are listed here&nbsp;<a href=\"https:\/\/github.com\/gtworek\/Priv2Admin\/blob\/master\/NtSetSystemInformation.md\">here<\/a>.<\/p>\n\n\n\n<p class=\"has-luminous-vivid-amber-background-color has-background\"><strong>Note 3:<\/strong>&nbsp;I am focusing on the OS only. If a privilege works in AD but not in the OS itself, I am describing it as not used in the OS. It would be nice if someone digs deeper into AD-oriented scenarios.<\/p>\n\n\n\n<p>Feel free to contribute and\/or discuss presented ideas.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Privilege<\/th><th>Impact<\/th><th>Tool<\/th><th>Execution path<\/th><th>Remarks<\/th><\/tr><\/thead><tbody><tr><td><code><strong>SeAssignPrimaryToken<\/strong><\/code><\/td><td><em><strong>Admin<\/strong><\/em><\/td><td>3rd party tool<\/td><td><em>&#8220;It would allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe&#8221;<\/em><\/td><td>Thank you&nbsp;<a href=\"https:\/\/twitter.com\/Defte_\">Aur\u00e9lien Chalot<\/a>&nbsp;for the update. I will try to re-phrase it to something more recipe-like soon.<\/td><\/tr><tr><td><code><strong>SeAudit<\/strong><\/code><\/td><td><strong>Threat<\/strong><\/td><td>3rd party tool<\/td><td>Write events to the Security event log to fool auditing or to overwrite old events.<\/td><td>Writing own events is possible with&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/authz\/nf-authz-authzreportsecurityevent\"><code><strong>Authz Report Security<\/strong> <strong>Event<\/strong><\/code><\/a>&nbsp;API.<\/td><\/tr><tr><td><code><strong>SeBackup<\/strong><\/code><\/td><td><em><strong>Admin<\/strong><\/em><\/td><td>3rd party tool<\/td><td>1. Backup the<strong>&nbsp;<code>HKLM\\SAM<\/code><\/strong>&nbsp;and&nbsp;<code><strong>HKLM\\SYSTEM<\/strong><\/code>&nbsp;registry hives<br>2. Extract the local accounts hashes from the&nbsp;<code><strong>SAM<\/strong><\/code>&nbsp;database<br>3. Pass-the-Hash as a member of the local&nbsp;<code><strong>Administrators<\/strong><\/code>&nbsp;group<br><br>Alternatively, can be used to read sensitive files.<\/td><td>For more information, refer to the&nbsp;<strong><a href=\"https:\/\/github.com\/gtworek\/Priv2Admin\/blob\/master\/SeBackupPrivilege.md\"><code>SeBackupPrivilege<\/code>&nbsp;file<\/a>.<\/strong><\/td><\/tr><tr><td><code><strong>SeChangeNotify<\/strong><\/code><\/td><td>None<\/td><td>&#8211;<\/td><td>&#8211;<\/td><td>Privilege held by everyone. Revoking it may make the OS (Windows Server 2019) unbootable.<\/td><\/tr><tr><td><code><strong>SeCreateGlobal<\/strong><\/code><\/td><td>?<\/td><td>?<\/td><td>?<\/td><td><\/td><\/tr><tr><td><code><strong>SeCreatePagefile<\/strong><\/code><\/td><td>None<\/td><td><em><strong>Built-in commands<\/strong><\/em><\/td><td>Create hiberfil.sys, read it offline, look for sensitive data.<\/td><td>Requires offline access, which leads to admin rights anyway.<\/td><\/tr><tr><td><code><strong>SeCreatePermanent<\/strong><\/code><\/td><td>?<\/td><td>?<\/td><td>?<\/td><td><\/td><\/tr><tr><td><code><strong>SeCreateSymbolicLink<\/strong><\/code><\/td><td>?<\/td><td>?<\/td><td>?<\/td><td><\/td><\/tr><tr><td><code><strong>SeCreateToken<\/strong><\/code><\/td><td><em><strong>Admin<\/strong><\/em><\/td><td>3rd party tool<\/td><td>Create arbitrary token including local admin rights with&nbsp;<strong><code>NtCreateToken<\/code>.<\/strong><\/td><td><\/td><\/tr><tr><td><code><strong>SeDebug<\/strong><\/code><\/td><td><em><strong>Admin<\/strong><\/em><\/td><td><strong>PowerShell<\/strong><\/td><td>Duplicate the&nbsp;<code><strong>lsass.exe<\/strong><\/code>&nbsp;token.<\/td><td>Script to be found at&nbsp;<a href=\"https:\/\/github.com\/FuzzySecurity\/PowerShell-Suite\/blob\/master\/Conjure-LSASS.ps1\">FuzzySecurity<\/a><\/td><\/tr><tr><td><strong><code>SeDelegateSession-<\/code><br><code>UserImpersonate<\/code><\/strong><\/td><td>?<\/td><td>?<\/td><td>?<\/td><td>Privilege name broken to make the column narrow.<\/td><\/tr><tr><td><code><strong>SeEnableDelegation<\/strong><\/code><\/td><td>None<\/td><td>&#8211;<\/td><td>&#8211;<\/td><td>The privilege is not used in the Windows OS.<\/td><\/tr><tr><td><code><strong>SeImpersonate<\/strong><\/code><\/td><td><em><strong>Admin<\/strong><\/em><\/td><td>3rd party tool<\/td><td>Tools from the&nbsp;<em>Potato family<\/em>&nbsp;(potato.exe, rottenpotato.exe and juicypotato.exe), RogueWinRM, etc.<\/td><td>Similarly to&nbsp;<strong><code>SeAssignPrimaryToken<\/code>,<\/strong> allows by design to create a process under the security context of another user (using a handle to a token of said user).<br><br>Multiple tools and techniques may be used to obtain the required token.<\/td><\/tr><tr><td><code><strong>SeIncreaseBasePriority<\/strong><\/code><\/td><td>Availability<\/td><td><em><strong>Built-in commands<\/strong><\/em><\/td><td><code><strong>start \/realtime SomeCpuIntensiveApp.exe<\/strong><\/code><\/td><td>May be more interesting on servers.<\/td><\/tr><tr><td><code><strong>SeIncreaseQuota<\/strong><\/code><\/td><td>Availability<\/td><td>3rd party tool<\/td><td>Change cpu, memory, and cache limits to some values making the OS unbootable.<\/td><td>&#8211; Quotas are not checked in the safe mode, which makes repair relatively easy.<br>&#8211; The same privilege is used for managing registry quotas.<\/td><\/tr><tr><td><code><strong>SeIncreaseWorkingSet<\/strong><\/code><\/td><td>None<\/td><td>&#8211;<\/td><td>&#8211;<\/td><td>Privilege held by everyone. Checked when calling fine-tuning memory management functions.<\/td><\/tr><tr><td><code><strong>SeLoadDriver<\/strong><\/code><\/td><td><em><strong>Admin<\/strong><\/em><\/td><td>3rd party tool<\/td><td>1. Load buggy kernel driver such as&nbsp;<code><strong>szkg64.sys<\/strong><\/code><br>2. Exploit the driver vulnerability<br><br>Alternatively, the privilege may be used to unload security-related drivers with&nbsp;<strong><code>ftlMC<\/code>&nbsp;<\/strong>builtin command. i.e.:&nbsp;<code><strong>fltMC sysmondrv<\/strong><\/code><\/td><td>1. The&nbsp;<code><strong>szkg64<\/strong><\/code>&nbsp;vulnerability is listed as&nbsp;<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-15732\">CVE-2018-15732<\/a><br>2. The&nbsp;<code><strong>szkg64<\/strong><\/code>&nbsp;<a href=\"https:\/\/www.greyhathacker.net\/?p=1025\">exploit code<\/a>&nbsp;was created by&nbsp;<a href=\"https:\/\/twitter.com\/parvezghh\">Parvez Anwar<\/a><\/td><\/tr><tr><td><code><strong>SeLockMemory<\/strong><\/code><\/td><td>Availability<\/td><td>3rd party tool<\/td><td>Starve System memory partition by moving pages.<\/td><td>PoC published by&nbsp;<a href=\"https:\/\/twitter.com\/waleedassar\/status\/1296689615139676160\">Walied Assar (@waleedassar)<\/a><\/td><\/tr><tr><td><code><strong>SeMachineAccount<\/strong><\/code><\/td><td>None<\/td><td>&#8211;<\/td><td>&#8211;<\/td><td>The privilege is not used in the Windows OS.<\/td><\/tr><tr><td><code><strong>SeManageVolume<\/strong><\/code><\/td><td><em><strong>Admin<\/strong><\/em><\/td><td>3rd party tool<\/td><td>1. Enable the privilege in the token<br>2. Create handle to \\.\\C: with&nbsp;<code><strong>SYNCHRONIZE | FILE_TRAVERSE<\/strong><\/code><br>3. Send the&nbsp;<code><strong>FSCTL_SD_GLOBAL_CHANGE<\/strong><\/code>&nbsp;to replace&nbsp;<code><strong>S-1-5-32-544<\/strong><\/code>&nbsp;with&nbsp;<code><strong>S-1-5-32-545<\/strong><\/code><br>4. Overwrite utilman.exe etc.<\/td><td><code><strong>FSCTL_SD_GLOBAL_CHANGE<\/strong><\/code>&nbsp;can be made with this&nbsp;<a href=\"https:\/\/github.com\/gtworek\/PSBits\/blob\/master\/Misc\/FSCTL_SD_GLOBAL_CHANGE.c\">piece of code<\/a>.<\/td><\/tr><tr><td><code><strong>SeProfileSingleProcess<\/strong><\/code><\/td><td>None<\/td><td>&#8211;<\/td><td>&#8211;<\/td><td>The privilege is checked before changing (and in very limited set of commands, before querying) parameters of Prefetch, SuperFetch, and ReadyBoost. The impact may be adjusted, as the real effect is not known.<\/td><\/tr><tr><td><code><strong>SeRelabel<\/strong><\/code><\/td><td><strong>Threat<\/strong><\/td><td>3rd party tool<\/td><td>Modification of system files by a legitimate administrator?<\/td><td>See:&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/secauthz\/mandatory-integrity-control\">MIC documentation<\/a><br><br>Integrity labels are infrequently used and work only on top of standard ACLs. Two main scenarios include:<br>&#8211; protection against attacks using exploitable applications such as browsers, PDF readers etc.<br>&#8211; protection of OS files.<br><br>Attacks with SeRelabel must obey access rules defined by ACLs, which makes them significantly less useful in practice.<\/td><\/tr><tr><td><code><strong>SeRemoteShutdown<\/strong><\/code><\/td><td>Availability<\/td><td><em><strong>Built-in commands<\/strong><\/em><\/td><td><code><strong>shutdown \/s \/f \/m \\\\server1 \/d P:5:19<\/strong><\/code><\/td><td>The privilege is verified when shutdown\/restart request comes from the network. 127.0.0.1 scenario to be investigated.<\/td><\/tr><tr><td><code><strong>SeReserveProcessor<\/strong><\/code><\/td><td>None<\/td><td>&#8211;<\/td><td>&#8211;<\/td><td>It looks like the privilege is no longer used and it appeared only in a couple of versions of winnt.h. You can see it listed i.e. in the source code published by Microsoft&nbsp;<a href=\"https:\/\/code.msdn.microsoft.com\/Effective-access-rights-dd5b13a8\/sourcecode?fileId=58676&amp;pathId=767997020\">here<\/a>.<\/td><\/tr><tr><td><code><strong>SeRestore<\/strong><\/code><\/td><td><em><strong>Admin<\/strong><\/em><\/td><td><strong>PowerShell<\/strong><\/td><td>1. Launch PowerShell\/ISE with the SeRestore privilege present.<br>2. Enable the privilege with&nbsp;<a href=\"https:\/\/github.com\/gtworek\/PSBits\/blob\/master\/Misc\/EnableSeRestorePrivilege.ps1\">Enable-SeRestorePrivilege<\/a>).<br>3. Rename utilman.exe to utilman.old<br>4. Rename cmd.exe to utilman.exe<br>5. Lock the console and press Win+U<\/td><td>Attack may be detected by some AV software.<br><br>Alternative method relies on replacing service binaries stored in &#8220;Program Files&#8221; using the same privilege.<\/td><\/tr><tr><td><code><strong>SeSecurity<\/strong><\/code><\/td><td><strong>Threat<\/strong><\/td><td><em><strong>Built-in commands<\/strong><\/em><\/td><td>&#8211; Clear Security event log:<strong>&nbsp;<code>wevtutil cl Security<\/code><\/strong><br><br>&#8211; Shrink the Security log to 20MB to make events flushed soon:&nbsp;<code><strong>wevtutil sl Security \/ms:0<\/strong><\/code><br><br>&#8211; Read Security event log to have knowledge about processes, access and actions of other users within the system.<br><br>&#8211; Knowing what is logged to act under the radar.<br><br>&#8211; Knowing what is logged to generate large number of events effectively purging old ones without leaving obvious evidence of cleaning.<\/td><td><\/td><\/tr><tr><td><code><strong>SeShutdown<\/strong><\/code><\/td><td>Availability<\/td><td><em><strong>Built-in commands<\/strong><\/em><\/td><td><code><strong>shutdown.exe \/s \/f \/t 1<\/strong><\/code><\/td><td>Allows to call most of NtPowerInformation() levels. To be investigated.<\/td><\/tr><tr><td><code><strong>SeSyncAgent<\/strong><\/code><\/td><td>None<\/td><td>&#8211;<\/td><td>&#8211;<\/td><td>The privilege is not used in the Windows OS.<\/td><\/tr><tr><td><code><strong>SeSystemEnvironment<\/strong><\/code><\/td><td><em>Unknown<\/em><\/td><td>3rd party tool<\/td><td>The privilege permits to use&nbsp;<strong><code>NtSetSystemEnvironmentValue<\/code>,&nbsp;<code>NtModifyDriverEntry<\/code>&nbsp;<\/strong>and some other syscalls to manipulate UEFI variables.<\/td><td>&#8211; Firmware environment variables were commonly used on non-Intel platforms in the past, and now slowly return to UEFI world.<br>&#8211; The area is highly undocumented.<br>&#8211; The potential may be huge (i.e. breaking Secure Boot) but raising the impact level requires at least PoC.<\/td><\/tr><tr><td><code><strong>SeSystemProfile<\/strong><\/code><\/td><td>?<\/td><td>?<\/td><td>?<\/td><td><\/td><\/tr><tr><td><code><strong>SeSystemtime<\/strong><\/code><\/td><td><strong>Threat<\/strong><\/td><td><em><strong>Built-in commands<\/strong><\/em><\/td><td><strong><code>cmd.exe \/c date 01-01-01<\/code><br><code>cmd.exe \/c time 00:00<\/code><\/strong><\/td><td>The privilege allows to change the system time, potentially leading to audit trail integrity issues, as events will be stored with wrong date\/time.<br>&#8211; Be careful with date\/time formats. Use always-safe values if not sure.<br>&#8211; Sometimes the name of the privilege uses uppercase &#8220;T&#8221; and is referred as&nbsp;<strong><code>SeSystemTime<\/code>.<\/strong><\/td><\/tr><tr><td><code><strong>SeTakeOwnership<\/strong><\/code><\/td><td><em><strong>Admin<\/strong><\/em><\/td><td><em><strong>Built-in commands<\/strong><\/em><\/td><td>1.<strong>&nbsp;<code>takeown.exe \/f \"%windir%\\system32\"<\/code><\/strong><br>2.&nbsp;<code><strong>icalcs.exe \"%windir%\\system32\" \/grant \"%username%\":F<\/strong><\/code><br>3. Rename cmd.exe to utilman.exe<br>4. Lock the console and press Win+U<\/td><td>Attack may be detected by some AV software.<br><br>Alternative method relies on replacing service binaries stored in &#8220;Program Files&#8221; using the same privilege.<\/td><\/tr><tr><td><code><strong>SeTcb<\/strong><\/code><\/td><td><em><strong>Admin<\/strong><\/em><\/td><td>3rd party tool<\/td><td>Manipulate tokens to have local admin rights included.<\/td><td>Sample code+exe creating arbitrary tokens to be found at&nbsp;<a href=\"https:\/\/github.com\/gtworek\/PSBits\/tree\/master\/VirtualAccounts\">PsBits<\/a>.<\/td><\/tr><tr><td><code><strong>SeTimeZone<\/strong><\/code><\/td><td>Mess<\/td><td><em><strong>Built-in commands<\/strong><\/em><\/td><td>Change the timezone<strong>.&nbsp;<code>tzutil \/s \"Chatham Islands Standard Time\"<\/code><\/strong><\/td><td><\/td><\/tr><tr><td><code><strong>SeTrustedCredManAccess<\/strong><\/code><\/td><td>?<\/td><td>?<\/td><td>?<\/td><td><\/td><\/tr><tr><td><code><strong>SeUndock<\/strong><\/code><\/td><td>None<\/td><td>&#8211;<\/td><td>&#8211;<\/td><td>The privilege is enabled when undocking, but never observed it checked to grant\/deny access. In practice it means it is actually unused and cannot lead to any escalation.<\/td><\/tr><tr><td><code><strong>SeUnsolicitedInput<\/strong><\/code><\/td><td>None<\/td><td>&#8211;<\/td><td>&#8211;<\/td><td>The privilege is not used in the Windows OS.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button is-style-outline is-style-outline--1\"><a class=\"wp-block-button__link has-vivid-cyan-blue-background-color has-background\" href=\"https:\/\/github.com\/gtworek\/Priv2Admin\"><strong>Download<\/strong><\/a><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Priv2Admin idea is to &#8220;translate&#8221; Windows OS privileges to a path leading to: administrator, integrity and\/or confidentiality threat, availability threat, just a mess. Privileges are listed and explained at:&nbsp;https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/secauthz\/privilege-constants If the goal can be achieved multiple ways, the priority is Using built-in commands Using PowerShell (only if a working script exists) Using non-OS tools Using [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":16818,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/1.bp.blogspot.com\/-rVCavuNnZyM\/YKLCPpoI-YI\/AAAAAAAAJHU\/OpLA9bwWkCYikXnGnPdVAUfT6VvzBrX8QCLcBGAsYHQ\/s728\/win_hack%25281%2529.png","fifu_image_alt":"Priv2Admin : Exploitation Paths Allowing You To (Mis)Use The Windows Privileges","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[28,45],"tags":[2604,2610,3714],"class_list":["post-12907","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kali","category-windows","tag-priv2admin","tag-privilege","tag-windows"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Priv2Admin : Paths Allowing To (Mis)Use The Windows Privileges<\/title>\n<meta name=\"description\" content=\"Priv2Admin idea is to &quot;translate&quot; Windows OS privileges to a path leading to administrator, integrity, availability and just a mess.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kalilinuxtutorials.com\/priv2admin\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Priv2Admin : Paths Allowing To (Mis)Use The Windows Privileges\" \/>\n<meta property=\"og:description\" content=\"Priv2Admin idea is to &quot;translate&quot; Windows OS privileges to a path leading to administrator, integrity, availability and just a mess.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kalilinuxtutorials.com\/priv2admin\/\" \/>\n<meta property=\"og:site_name\" content=\"Kali Linux Tutorials\" \/>\n<meta property=\"article:published_time\" content=\"2021-05-20T12:16:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/1.bp.blogspot.com\/-rVCavuNnZyM\/YKLCPpoI-YI\/AAAAAAAAJHU\/OpLA9bwWkCYikXnGnPdVAUfT6VvzBrX8QCLcBGAsYHQ\/s728\/win_hack%25281%2529.png\" \/>\n<meta name=\"author\" content=\"R K\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/1.bp.blogspot.com\/-rVCavuNnZyM\/YKLCPpoI-YI\/AAAAAAAAJHU\/OpLA9bwWkCYikXnGnPdVAUfT6VvzBrX8QCLcBGAsYHQ\/s728\/win_hack%25281%2529.png\" \/>\n<meta name=\"twitter:creator\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:site\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"R K\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/priv2admin\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/priv2admin\/\"},\"author\":{\"name\":\"R K\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\"},\"headline\":\"Priv2Admin : Exploitation Paths Allowing You To (Mis)Use The Windows Privileges\",\"datePublished\":\"2021-05-20T12:16:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/priv2admin\/\"},\"wordCount\":1244,\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/priv2admin\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/1.bp.blogspot.com\/-rVCavuNnZyM\/YKLCPpoI-YI\/AAAAAAAAJHU\/OpLA9bwWkCYikXnGnPdVAUfT6VvzBrX8QCLcBGAsYHQ\/s728\/win_hack%25281%2529.png\",\"keywords\":[\"priv2admin\",\"privilege\",\"windows\"],\"articleSection\":[\"Kali Linux\",\"Windows\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/priv2admin\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/priv2admin\/\",\"name\":\"Priv2Admin : Paths Allowing To (Mis)Use The Windows Privileges\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/priv2admin\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/priv2admin\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/1.bp.blogspot.com\/-rVCavuNnZyM\/YKLCPpoI-YI\/AAAAAAAAJHU\/OpLA9bwWkCYikXnGnPdVAUfT6VvzBrX8QCLcBGAsYHQ\/s728\/win_hack%25281%2529.png\",\"datePublished\":\"2021-05-20T12:16:29+00:00\",\"description\":\"Priv2Admin idea is to \\\"translate\\\" Windows OS privileges to a path leading to administrator, integrity, availability and just a mess.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/priv2admin\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/priv2admin\/#primaryimage\",\"url\":\"https:\/\/1.bp.blogspot.com\/-rVCavuNnZyM\/YKLCPpoI-YI\/AAAAAAAAJHU\/OpLA9bwWkCYikXnGnPdVAUfT6VvzBrX8QCLcBGAsYHQ\/s728\/win_hack%25281%2529.png\",\"contentUrl\":\"https:\/\/1.bp.blogspot.com\/-rVCavuNnZyM\/YKLCPpoI-YI\/AAAAAAAAJHU\/OpLA9bwWkCYikXnGnPdVAUfT6VvzBrX8QCLcBGAsYHQ\/s728\/win_hack%25281%2529.png\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"name\":\"Kali Linux Tutorials\",\"description\":\"Kali Linux Tutorials\",\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\",\"name\":\"Kali Linux Tutorials\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"contentUrl\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"width\":272,\"height\":90,\"caption\":\"Kali Linux Tutorials\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/CyberEdition\",\"https:\/\/www.threads.com\/@cybersecurityedition\",\"https:\/\/www.linkedin.com\/company\/cyberedition\",\"https:\/\/www.instagram.com\/cybersecurityedition\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\",\"name\":\"R K\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"caption\":\"R K\"},\"url\":\"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Priv2Admin : Paths Allowing To (Mis)Use The Windows Privileges","description":"Priv2Admin idea is to \"translate\" Windows OS privileges to a path leading to administrator, integrity, availability and just a mess.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kalilinuxtutorials.com\/priv2admin\/","og_locale":"en_US","og_type":"article","og_title":"Priv2Admin : Paths Allowing To (Mis)Use The Windows Privileges","og_description":"Priv2Admin idea is to \"translate\" Windows OS privileges to a path leading to administrator, integrity, availability and just a mess.","og_url":"https:\/\/kalilinuxtutorials.com\/priv2admin\/","og_site_name":"Kali Linux Tutorials","article_published_time":"2021-05-20T12:16:29+00:00","og_image":[{"url":"https:\/\/1.bp.blogspot.com\/-rVCavuNnZyM\/YKLCPpoI-YI\/AAAAAAAAJHU\/OpLA9bwWkCYikXnGnPdVAUfT6VvzBrX8QCLcBGAsYHQ\/s728\/win_hack%25281%2529.png","type":"","width":"","height":""}],"author":"R K","twitter_card":"summary_large_image","twitter_image":"https:\/\/1.bp.blogspot.com\/-rVCavuNnZyM\/YKLCPpoI-YI\/AAAAAAAAJHU\/OpLA9bwWkCYikXnGnPdVAUfT6VvzBrX8QCLcBGAsYHQ\/s728\/win_hack%25281%2529.png","twitter_creator":"@CyberEdition","twitter_site":"@CyberEdition","twitter_misc":{"Written by":"R K","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kalilinuxtutorials.com\/priv2admin\/#article","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/priv2admin\/"},"author":{"name":"R K","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad"},"headline":"Priv2Admin : Exploitation Paths Allowing You To (Mis)Use The Windows Privileges","datePublished":"2021-05-20T12:16:29+00:00","mainEntityOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/priv2admin\/"},"wordCount":1244,"publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/priv2admin\/#primaryimage"},"thumbnailUrl":"https:\/\/1.bp.blogspot.com\/-rVCavuNnZyM\/YKLCPpoI-YI\/AAAAAAAAJHU\/OpLA9bwWkCYikXnGnPdVAUfT6VvzBrX8QCLcBGAsYHQ\/s728\/win_hack%25281%2529.png","keywords":["priv2admin","privilege","windows"],"articleSection":["Kali Linux","Windows"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/kalilinuxtutorials.com\/priv2admin\/","url":"https:\/\/kalilinuxtutorials.com\/priv2admin\/","name":"Priv2Admin : Paths Allowing To (Mis)Use The Windows Privileges","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/priv2admin\/#primaryimage"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/priv2admin\/#primaryimage"},"thumbnailUrl":"https:\/\/1.bp.blogspot.com\/-rVCavuNnZyM\/YKLCPpoI-YI\/AAAAAAAAJHU\/OpLA9bwWkCYikXnGnPdVAUfT6VvzBrX8QCLcBGAsYHQ\/s728\/win_hack%25281%2529.png","datePublished":"2021-05-20T12:16:29+00:00","description":"Priv2Admin idea is to \"translate\" Windows OS privileges to a path leading to administrator, integrity, availability and just a mess.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kalilinuxtutorials.com\/priv2admin\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/priv2admin\/#primaryimage","url":"https:\/\/1.bp.blogspot.com\/-rVCavuNnZyM\/YKLCPpoI-YI\/AAAAAAAAJHU\/OpLA9bwWkCYikXnGnPdVAUfT6VvzBrX8QCLcBGAsYHQ\/s728\/win_hack%25281%2529.png","contentUrl":"https:\/\/1.bp.blogspot.com\/-rVCavuNnZyM\/YKLCPpoI-YI\/AAAAAAAAJHU\/OpLA9bwWkCYikXnGnPdVAUfT6VvzBrX8QCLcBGAsYHQ\/s728\/win_hack%25281%2529.png"},{"@type":"WebSite","@id":"https:\/\/kalilinuxtutorials.com\/#website","url":"https:\/\/kalilinuxtutorials.com\/","name":"Kali Linux Tutorials","description":"Kali Linux Tutorials","publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kalilinuxtutorials.com\/#organization","name":"Kali Linux Tutorials","url":"https:\/\/kalilinuxtutorials.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/","url":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","contentUrl":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","width":272,"height":90,"caption":"Kali Linux Tutorials"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/CyberEdition","https:\/\/www.threads.com\/@cybersecurityedition","https:\/\/www.linkedin.com\/company\/cyberedition","https:\/\/www.instagram.com\/cybersecurityedition\/"]},{"@type":"Person","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad","name":"R K","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","caption":"R K"},"url":"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/"}]}},"jetpack_featured_media_url":"https:\/\/1.bp.blogspot.com\/-rVCavuNnZyM\/YKLCPpoI-YI\/AAAAAAAAJHU\/OpLA9bwWkCYikXnGnPdVAUfT6VvzBrX8QCLcBGAsYHQ\/s728\/win_hack%25281%2529.png","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":32300,"url":"https:\/\/kalilinuxtutorials.com\/winsos\/","url_meta":{"origin":12907,"position":0},"title":"WinSOS &#8211; Harnessing Trusted Binaries For Stealthy DLL Hijacking","author":"Varshini","date":"March 13, 2024","format":false,"excerpt":"WinSOS represents a sophisticated technique that turns the Windows operating system's own features against it. By manipulating executables in the WinSxS folder, a component trusted by Windows, attackers can discreetly execute malicious code. This method, building on DLL Search Order Hijacking, does not require elevated privileges, making it a stealthy\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj9ngXdkGmuzp5zC0ZU9-P7fFURVThKGqurC5tVB7QZf4_Nd4GLXx8ML_SI6iSvZn3QjXeKHUnexNsat58aK582ir8FPBVZH-xfyypkjlKXZnPfS5XpFXfQGpBQvkD_lmJd-ZYtzpHn0zz9yknVs5pujI1WWgevBfegLOCZD31q_twF10nZGfhMKX2KG1Qv\/s16000\/Hackers%20Abuse%20Dropbox%20%281%29.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj9ngXdkGmuzp5zC0ZU9-P7fFURVThKGqurC5tVB7QZf4_Nd4GLXx8ML_SI6iSvZn3QjXeKHUnexNsat58aK582ir8FPBVZH-xfyypkjlKXZnPfS5XpFXfQGpBQvkD_lmJd-ZYtzpHn0zz9yknVs5pujI1WWgevBfegLOCZD31q_twF10nZGfhMKX2KG1Qv\/s16000\/Hackers%20Abuse%20Dropbox%20%281%29.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj9ngXdkGmuzp5zC0ZU9-P7fFURVThKGqurC5tVB7QZf4_Nd4GLXx8ML_SI6iSvZn3QjXeKHUnexNsat58aK582ir8FPBVZH-xfyypkjlKXZnPfS5XpFXfQGpBQvkD_lmJd-ZYtzpHn0zz9yknVs5pujI1WWgevBfegLOCZD31q_twF10nZGfhMKX2KG1Qv\/s16000\/Hackers%20Abuse%20Dropbox%20%281%29.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj9ngXdkGmuzp5zC0ZU9-P7fFURVThKGqurC5tVB7QZf4_Nd4GLXx8ML_SI6iSvZn3QjXeKHUnexNsat58aK582ir8FPBVZH-xfyypkjlKXZnPfS5XpFXfQGpBQvkD_lmJd-ZYtzpHn0zz9yknVs5pujI1WWgevBfegLOCZD31q_twF10nZGfhMKX2KG1Qv\/s16000\/Hackers%20Abuse%20Dropbox%20%281%29.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj9ngXdkGmuzp5zC0ZU9-P7fFURVThKGqurC5tVB7QZf4_Nd4GLXx8ML_SI6iSvZn3QjXeKHUnexNsat58aK582ir8FPBVZH-xfyypkjlKXZnPfS5XpFXfQGpBQvkD_lmJd-ZYtzpHn0zz9yknVs5pujI1WWgevBfegLOCZD31q_twF10nZGfhMKX2KG1Qv\/s16000\/Hackers%20Abuse%20Dropbox%20%281%29.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj9ngXdkGmuzp5zC0ZU9-P7fFURVThKGqurC5tVB7QZf4_Nd4GLXx8ML_SI6iSvZn3QjXeKHUnexNsat58aK582ir8FPBVZH-xfyypkjlKXZnPfS5XpFXfQGpBQvkD_lmJd-ZYtzpHn0zz9yknVs5pujI1WWgevBfegLOCZD31q_twF10nZGfhMKX2KG1Qv\/s16000\/Hackers%20Abuse%20Dropbox%20%281%29.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":2156,"url":"https:\/\/kalilinuxtutorials.com\/win-portfwd\/","url_meta":{"origin":12907,"position":1},"title":"Win-PortFwd : Powershell Script To Setup Windows Port Forwarding Using Native Netsh Client","author":"R K","date":"August 6, 2018","format":false,"excerpt":"Win-PortFwd is a powershell script to setup windows port forwarding using native netsh client. Installation git clone https:\/\/github.com\/deepzec\/Win-PortFwd.git Win-PortFwd Usage .\\win-portfwd.ps1 or powershell.exe -noprofile -executionpolicy bypass -file .\\win-portfwd.ps1 Also Read\u00a0MacSubstrate \u2013 Tool For Interprocess Code Injection On macOS Example : Note: This script require admin privileges to run, this script\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2018\/08\/win-portfwd1.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":33747,"url":"https:\/\/kalilinuxtutorials.com\/hevd-2\/","url_meta":{"origin":12907,"position":2},"title":"HackSys Extreme Vulnerable Driver (HEVD) &#8211; BufferOverflowNonPagedPoolNx Exploit","author":"Varshini","date":"July 10, 2024","format":false,"excerpt":"This repository contains an exploit for the BufferOverflowNonPagedPoolNx vulnerability in\u00a0HackSys Extreme Vulnerable Driver (HEVD). The exploit targets Windows 10 Version 22H2 (OS Build 19045.3930) and demonstrates a technique to achieve privilege escalation from a low-integrity process to SYSTEM. Exploit Overview The exploit leverages\u00a0the BufferOverflowNonPagedPoolNx vulnerability\u00a0to create a\u00a0\"ghost chunk\"\u00a0through\u00a0Aligned Chunk Confusion\u00a0in\u2026","rel":"","context":"In &quot;Exploitation Tools&quot;","block_context":{"text":"Exploitation Tools","link":"https:\/\/kalilinuxtutorials.com\/category\/et\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiE-Ce3NzoShcEwm3_AXdXz59oNYc3nUY_31Vv3qKZJb307laClpMiyqa22MDQbA2aRBVEo1HAnWT7a0lgoF4iLEwbTHdRnvD_lwiSTL95epYIx1kSr4bJhRLXIRd8C7F7rulZlRFdUOlUtznGOEnXjz5VN6pYloKwwsHN6p_CK5T30xTf1eGxFYGrcW1gO\/s16000\/HackSys%20Extreme%20Vulnerable%20Driver%20%28HEVD%29%20-%20BufferOverflowNonPagedPoolNx%20Exploit.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiE-Ce3NzoShcEwm3_AXdXz59oNYc3nUY_31Vv3qKZJb307laClpMiyqa22MDQbA2aRBVEo1HAnWT7a0lgoF4iLEwbTHdRnvD_lwiSTL95epYIx1kSr4bJhRLXIRd8C7F7rulZlRFdUOlUtznGOEnXjz5VN6pYloKwwsHN6p_CK5T30xTf1eGxFYGrcW1gO\/s16000\/HackSys%20Extreme%20Vulnerable%20Driver%20%28HEVD%29%20-%20BufferOverflowNonPagedPoolNx%20Exploit.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiE-Ce3NzoShcEwm3_AXdXz59oNYc3nUY_31Vv3qKZJb307laClpMiyqa22MDQbA2aRBVEo1HAnWT7a0lgoF4iLEwbTHdRnvD_lwiSTL95epYIx1kSr4bJhRLXIRd8C7F7rulZlRFdUOlUtznGOEnXjz5VN6pYloKwwsHN6p_CK5T30xTf1eGxFYGrcW1gO\/s16000\/HackSys%20Extreme%20Vulnerable%20Driver%20%28HEVD%29%20-%20BufferOverflowNonPagedPoolNx%20Exploit.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiE-Ce3NzoShcEwm3_AXdXz59oNYc3nUY_31Vv3qKZJb307laClpMiyqa22MDQbA2aRBVEo1HAnWT7a0lgoF4iLEwbTHdRnvD_lwiSTL95epYIx1kSr4bJhRLXIRd8C7F7rulZlRFdUOlUtznGOEnXjz5VN6pYloKwwsHN6p_CK5T30xTf1eGxFYGrcW1gO\/s16000\/HackSys%20Extreme%20Vulnerable%20Driver%20%28HEVD%29%20-%20BufferOverflowNonPagedPoolNx%20Exploit.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiE-Ce3NzoShcEwm3_AXdXz59oNYc3nUY_31Vv3qKZJb307laClpMiyqa22MDQbA2aRBVEo1HAnWT7a0lgoF4iLEwbTHdRnvD_lwiSTL95epYIx1kSr4bJhRLXIRd8C7F7rulZlRFdUOlUtznGOEnXjz5VN6pYloKwwsHN6p_CK5T30xTf1eGxFYGrcW1gO\/s16000\/HackSys%20Extreme%20Vulnerable%20Driver%20%28HEVD%29%20-%20BufferOverflowNonPagedPoolNx%20Exploit.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiE-Ce3NzoShcEwm3_AXdXz59oNYc3nUY_31Vv3qKZJb307laClpMiyqa22MDQbA2aRBVEo1HAnWT7a0lgoF4iLEwbTHdRnvD_lwiSTL95epYIx1kSr4bJhRLXIRd8C7F7rulZlRFdUOlUtznGOEnXjz5VN6pYloKwwsHN6p_CK5T30xTf1eGxFYGrcW1gO\/s16000\/HackSys%20Extreme%20Vulnerable%20Driver%20%28HEVD%29%20-%20BufferOverflowNonPagedPoolNx%20Exploit.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":6648,"url":"https:\/\/kalilinuxtutorials.com\/juicy-potato-sugared-version-rottenpotatong\/","url_meta":{"origin":12907,"position":3},"title":"Juicy Potato : A Sugared Version Of RottenPotatoNG, With A Bit Of Juice","author":"R K","date":"December 27, 2022","format":false,"excerpt":"Juicy Potato is a sugared version of\u00a0RottenPotatoNG, with a bit of juice, i.e.\u00a0another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\\SYSTEM. Summary RottenPotatoNG\u00a0and its\u00a0variants\u00a0leverages the privilege escalation chain based on\u00a0BITS\u00a0service\u00a0having the MiTM listener on\u00a0127.0.0.1:6666\u00a0and when you have\u00a0SeImpersonate\u00a0or\u00a0SeAssignPrimaryToken\u00a0privileges. During a Windows build review we found a setup\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"Juicy Potato : A Sugared Version Of RottenPotatoNG, With A Bit Of Juice","src":"https:\/\/i0.wp.com\/1.bp.blogspot.com\/-lR4S3aLwM5I\/XYsQt7_k94I\/AAAAAAAACo8\/6y0GyBKLxbcN49FGbpUQYGqZfW5GiRJUQCLcBGAsYHQ\/s1600\/Example-1%25252B%252525281%25252529.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/1.bp.blogspot.com\/-lR4S3aLwM5I\/XYsQt7_k94I\/AAAAAAAACo8\/6y0GyBKLxbcN49FGbpUQYGqZfW5GiRJUQCLcBGAsYHQ\/s1600\/Example-1%25252B%252525281%25252529.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/1.bp.blogspot.com\/-lR4S3aLwM5I\/XYsQt7_k94I\/AAAAAAAACo8\/6y0GyBKLxbcN49FGbpUQYGqZfW5GiRJUQCLcBGAsYHQ\/s1600\/Example-1%25252B%252525281%25252529.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/1.bp.blogspot.com\/-lR4S3aLwM5I\/XYsQt7_k94I\/AAAAAAAACo8\/6y0GyBKLxbcN49FGbpUQYGqZfW5GiRJUQCLcBGAsYHQ\/s1600\/Example-1%25252B%252525281%25252529.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":31496,"url":"https:\/\/kalilinuxtutorials.com\/elevation-station\/","url_meta":{"origin":12907,"position":4},"title":"Elevation Station: Mastering Privilege Escalation with Advanced Token Manipulation Techniques","author":"Varshini","date":"December 11, 2023","format":false,"excerpt":"ElevationStation is a privilege escalation tool. It works by borrowing from commonly used escalation techniques involving manipulating\/duplicating process and thread tokens. Why reinvent the wheel with yet another privilege escalation utility? This was a combined effort between avoiding AV alerts using Metasploit and furthering my research into privilege escalation methods\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg0UqVOWbAviiRN1KePdZGerUWQvDYtuuyDT2VQRMH0WcTCeE2VEtWbKIYMPoxqzX6iUVvjjQSAfZ2xiC4K4VekkXX7Ki_yENEj-wfoTdWKAJkQ0XoLaj7uGUVH0yzmzuypNj95M3vWEIWjbFY1oyeN6ZSu4GfgHea_dBhbMGoG7H1cAkeIcDmahyphenhyphen-oHA\/s16000\/Elevation%20Station.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg0UqVOWbAviiRN1KePdZGerUWQvDYtuuyDT2VQRMH0WcTCeE2VEtWbKIYMPoxqzX6iUVvjjQSAfZ2xiC4K4VekkXX7Ki_yENEj-wfoTdWKAJkQ0XoLaj7uGUVH0yzmzuypNj95M3vWEIWjbFY1oyeN6ZSu4GfgHea_dBhbMGoG7H1cAkeIcDmahyphenhyphen-oHA\/s16000\/Elevation%20Station.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg0UqVOWbAviiRN1KePdZGerUWQvDYtuuyDT2VQRMH0WcTCeE2VEtWbKIYMPoxqzX6iUVvjjQSAfZ2xiC4K4VekkXX7Ki_yENEj-wfoTdWKAJkQ0XoLaj7uGUVH0yzmzuypNj95M3vWEIWjbFY1oyeN6ZSu4GfgHea_dBhbMGoG7H1cAkeIcDmahyphenhyphen-oHA\/s16000\/Elevation%20Station.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg0UqVOWbAviiRN1KePdZGerUWQvDYtuuyDT2VQRMH0WcTCeE2VEtWbKIYMPoxqzX6iUVvjjQSAfZ2xiC4K4VekkXX7Ki_yENEj-wfoTdWKAJkQ0XoLaj7uGUVH0yzmzuypNj95M3vWEIWjbFY1oyeN6ZSu4GfgHea_dBhbMGoG7H1cAkeIcDmahyphenhyphen-oHA\/s16000\/Elevation%20Station.webp?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":7261,"url":"https:\/\/kalilinuxtutorials.com\/gcpbucketbrute-enumerate-google-storage-buckets\/","url_meta":{"origin":12907,"position":5},"title":"GCPBucketBrute  : A Script To Enumerate Google Storage Buckets","author":"R K","date":"November 14, 2019","format":false,"excerpt":"GCPBucketBrute is a script to enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated. This script (optionally) accepts GCP user\/service account credentials and a keyword.Then, a list of permutations will be generated from that keyword which will then be used\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/12907","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/comments?post=12907"}],"version-history":[{"count":0,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/12907\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media\/16818"}],"wp:attachment":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media?parent=12907"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/categories?post=12907"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/tags?post=12907"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}