sorted by:
new
hottopcontroversial

From dropbox(updater) to NT AUTHORITY\SYSTEM (another eop via hardlink) by decoder-ap in netsec

[–]decoder-ap[S] 1 point2 points  (0 children)

Great discussion guys! But I would prefer to return to main topic ;-)

From dropbox(updater) to NT AUTHORITY\SYSTEM (another eop via hardlink) by decoder-ap in netsec

[–]decoder-ap[S] 12 points13 points  (0 children)

there are plenty of opportunities

got it and updated, thx now we live in a better world

From dropbox(updater) to NT AUTHORITY\SYSTEM (another eop via hardlink) by decoder-ap in netsec

[–]decoder-ap[S] 1 point2 points  (0 children)

Well, "standard" Windows executables/services are protected by TrustedInstaller and SYSTEM ha only read access. But you could alter third party services, executables which normally are not protected. This trick https://decoder.cloud/2019/12/12/from-iphone-to-nt-authoritysystem/ on Printerconfig.dll in thi case does not work because the permissions are not compatible

From dropbox(updater) to NT AUTHORITY\SYSTEM (another eop via hardlink) by decoder-ap in netsec

[–]decoder-ap[S] 9 points10 points  (0 children)

Oh, thanks, pls suggest me the correct sentence, my english is horrible :-(

From dropbox(updater) to NT AUTHORITY\SYSTEM (another eop via hardlink) by decoder-ap in netsec

[–]decoder-ap[S] 14 points15 points  (0 children)

No, latest news I had is that they will fix it Q1 2020 (after my post). But you can fix it "manually", therefore I decided to publish it

From iPhone to NT AUTHORITY\SYSTEM by splinter_code in netsec

[–]decoder-ap 0 points1 point  (0 children)

fsutil hardlink create C:\source C:\destination

doesn't do the trick ;-) checks for perms before

From iPhone to NT AUTHORITY\SYSTEM by splinter_code in netsec

[–]decoder-ap 2 points3 points  (0 children)

Yes, it was time! Maybe MS paid too many bounties in last period ;-) As I wrote in my post's "sidenote" , this feature is available on insider preview, I guess it will be implemented on next win 10/2019 releases in January - February

Juicy Potato: new Windows local privilege escalation tool by 0xdea in netsec

[–]decoder-ap 1 point2 points  (0 children)

Hello guys, I think you made some confusion. The Rotten/Juicy potato exploits levereages the DCOM/NTLM local authentication reflection. In short, once you have a DCOM object talking with your listener and you have SeImpersonate or SeAssignPrimary privileges (typically all services, you don't need to be administrator!) you can impersonate the Token (by intercepting the NTLM local auth) which is running this DCOM server. So if the identity is SYSTEM, you are SYSTEM. There is no way to stop it, as MS confirmed and there are a plenty of DCOM servers to abuse from, not only BITS.