On Windows privileges are one of the main limiters of user accounts. This has made it a target for malware and hackers alike. Over time several methods for gaining access to passwords and accounts alike have emerged, a few are "Mimikatz", "Rotten Potato", "winPEAS", "Seatbelt" and BYOVD (Bring Your Own Vulnerable Driver) attacks.

For more information about windows Privledge Escilation Click here.

Description

ErroxPerms is a project designed to go from a basic local user to NT AUTHORITY/SYSTEM (NT\AUTH). NT\AUTH is the top account on Windows that is not available to users, it can access anything it wants within user-space, which for most attacks is the end goal. This project has the potential to cause major damage to computer systems and local devices, due to this I will not be displaying the entirety of it's code until it has passed approval for publication from others.

This project is currently in development, meaning this page may be behind on information.

Project Creation

The reason this project was created in the first place is due to one person I know having tech issues. Their issues were not being able to access the UAC (User Access Control) prompt on a laptop that was bought at a pawn shop. After doing some digging, I was able to find methods for bypassing the UAC prompt to install software she wanted. However due to the difference in locations I was not able to locally attack the system, meaning I had to create a program to do it for me.

Early development

In the early stages of development this project took on a different stance, going for a more single attack method to gain access to NT\AUTH, that being Windows services. However, I qucikly realized that this was not enough to bypass the security on Windows 11 systems, meaning that the program would have to be more diverse in what it attacked. The reason that the first itteration would fail is due to the secuity on Windows services by default, services execute local files when starting but are usually inside of protected directories, some of those being "Program Files", "Program Files (x86)" and "Windows". Below is a layout of how an attack would work using a service binary replacement method;

  1. Enumerate all services
  2. Filter out non SYSTEM services
  3. Filter out services that don't run on startup
  4. Check the directory of service binary
  5. Replace service binary with a custom one

While this attack method works very well, it is rare to work at all. This is due to how secure Windows services are by default, a service would have to be running a binary in a path that is not protected on purpose, which is rare to see when dealing with live systems outside of CTF events.

Socials:

Special thanks to:

And I do really mean thanks. Due to your support, testing, and advice regarding my programs it is possible that I even program! If it wasnt for your help, I would be working towards becoming an auto-mechanic (it's true)