Share this page!

🥝 Benjamin Delpy Profile picture
Twitter logo
20 Jul, 5 tweets, 3 min read
Q: what can you do when you have #mimikatz🥝 & some Read access on Windows system files like SYSTEM, SAM and SECURITY?

A: Local Privilege Escalation 🥳

Thank you @jonasLyk for this Read access on default Windows😘
Ho, and this is not only SAM, but also SYSTEM & SECURITY.
So you can find "interesting" data, like:
- default windows install password (can be valid, trust me 👍)
- DPAPI computer keys (decrypt all computer private keys, etc.)
- Computer Machine account (silver ticket)
- ...
Affected versions / Not affected versions on my tests today:
And the usual video quality link: video.twimg.com/tweet_video/E6…
I saw a lots of tweet about tools or some lolbin around it

You know that it works with [System.IO.File]::Copy() ?

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with 🥝 Benjamin Delpy

🥝 Benjamin Delpy Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @gentilkiwi

🥝 Benjamin Delpy Profile picture
17 Jul
Want to test #printnightmare (ep 4.x) user-to-system as a service?🥝
(POC only, will write a log file to system32)

connect to \\printnightmare.gentilkiwi.com with
- user: .\gentilguest
- password: password

Open 'Kiwi Legit Printer - x64', then 'Kiwi Legit Printer - x64 (another one)'
You can prevent this behavior by settings some parameters/GPO:

'Package Point and print - Approved servers'
> docs.microsoft.com/troubleshoot/w…
> admx.help/?Category=Wind…

Of course, disable outbound access to CIFS/SMB/RPC...
Very bad impersonation when: docs.microsoft.com/windows-hardwa…
Read 5 tweets
🥝 Benjamin Delpy Profile picture
30 Jun
This #printnightmare / CVE-2021-1675 is really serious 🤪

Just adapted/simplified original POC then:
*From Remote standard user to SYSTEM*

Here on a domain controller, but valid on all systems with RPC to spooler available, remote or local

➡️ disable service now (no patch yet)
As usual, video quality: video.twimg.com/tweet_video/E5…
Yes, DC is 2019 and fully patched
And 'localspl.dll' is 06/06/2021 (10.0.17763.1999)

@byt3bl33d3r @allevon412 @PythonResponder

But to be transparent, I don't have a recent CPU & TPM 2.0
That might be the problem, @msftsecurity, isn't it?
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @gentilkiwi has new unrolls!

Check out other threads from @gentilkiwi!

Read all threads by @gentilkiwi

:(