PrivKit – Simple Beacon Object File That Detects Privilege Escalation Vulnerabilities Caused By Misconfigurations On Windows OS

Main / PrivKit – Simple Beacon Object File That Detects Privilege Escalation Vulnerabilities Caused By Misconfigurations On Windows OS

Discription

[![](https://blogger.googleusercontent.com/img/a/AVvXsEhUuZJSO5HgKHDxtpT1g2u_BQda5hzIsSp1YjJULHZCocCr-A3VoEJ1VTFcqtVvv2BvPxPT3KescAdRA2bRwV93-Ri9DnmpSBpipFvc_mLkSZze8xSPPhhBblfTvkf30ne1vJ8w6XN1qJb3r08Uf5ycfFaSpBUvwDdLxlUKMuqQbKmDPkSEwSRHESTCS_kn=w640-h302)]()

PrivKit is a simple beacon object file that detects [privilege escalation]( “privilege escalation” ) [vulnerabilities]( “vulnerabilities” ) caused by [misconfigurations]( “misconfigurations” ) on Windows OS.

## PrivKit detects following misconfigurations

Checks for Unquoted Service Paths
Checks for Autologon Registry Keys
Checks for Always Install Elevated Registry Keys
Checks for Modifiable Autoruns
Checks for Hijackable Paths
Enumerates [Credentials]( “Credentials” ) From Credential Manager
Looks for current Token Privileges

## Usage

[03/20 00:51:06] beacon> privcheck
[03/20 00:51:06] [*] Priv Esc Check Bof by @merterpreter
[03/20 00:51:06] [*] Checking For Unquoted Service Paths..
[03/20 00:51:06] [*] Checking For Autologon Registry Keys..
[03/20 00:51:06] [*] Checking For Always Install Elevated Registry Keys..
[03/20 00:51:06] [*] Checking For Modifiable Autoruns..
[03/20 00:51:06] [*] Checking For Hijackable Paths..
[03/20 00:51:06] [*] Enumerating Credentials From Credential Manager..
[03/20 00:51:06] [*] Checking For Token Privileges..
[03/20 00:51:06] [+] host called home, sent: 10485 bytes
[03/20 00:51:06] [+] received output:
Unquoted Service Path Check Result: Vulnerable service path found: c:program files (x86)grasssoftmacro expertMacroService.exe

Simply load the cna file and type “privcheck”
If you want to compile by yourself you can use:
`make all`
or
`x86_64-w64-mingw32-gcc -c cfile.c -o ofile.o`

If you want to look for just one misconf you can use object file with “inline-execute” for example
` inline-execute /path/tokenprivileges.o`

[]( “PrivKit is a simple beacon object file that detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS. (5)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEhUuZJSO5HgKHDxtpT1g2u_BQda5hzIsSp1YjJULHZCocCr-A3VoEJ1VTFcqtVvv2BvPxPT3KescAdRA2bRwV93-Ri9DnmpSBpipFvc_mLkSZze8xSPPhhBblfTvkf30ne1vJ8w6XN1qJb3r08Uf5ycfFaSpBUvwDdLxlUKMuqQbKmDPkSEwSRHESTCS_kn=w640-h302)]()

[]( “PrivKit is a simple beacon object file that detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS. (6)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEj5hd-qQTYGFw52FgK_0pVKkdyxGBQocZIkTtOUXRXEhAHM59uJYWVSOj1si9k3ADcVopYAcmEP7WVDfYKppTLgGmxSCDtj6XFVgYpgnUXu-ZtVxvlnmMwtQD7YE3NA1IhT-AmiK7OuwN38LgzMogCtYHXJljW-WtOk3-eN7t29m8E8On8mX1Fi9wdobpMW=w640-h322)]()

## Acknowledgement

Mr.Un1K0d3r – Offensive Coding Portal

Outflank – C2-Tool-Collection

dtmsecurity – Beacon Object File (BOF) Creation Helper

Microsoft 🙂

HsTechDocs by HelpSystems(Fortra)

**[Download PrivKit]( “Download PrivKit” )**Read More

References

Back to Main

Subscribe for the latest news: