In the realm of cybersecurity, understanding and exploiting Windows APIs is pivotal for both defenders and attackers. In this article, we delve into the intricacies of the ZwCreateToken() API and explore how it can be exploited to obtain a coveted SYSTEM token with full privileges.
Through a step-by-step walkthrough, we will uncover the techniques and tools used in this exploit, shedding light on the potential risks it poses and the importance of safeguarding against such vulnerabilities.
PoCs to get full privileged SYSTEM token with ZwCreateToken() API.
PS C:\> sc.exe create CreateToken type= kernel binpath= C:\Dev\CreateTokenDrv_x64.sys
PS C:\> sc.exe start CreateTokenClient program performs NT AUTHORITY\SYSTEM process execution.
PS C:\Dev> .\CreateTokenClient.exe -h
CreateTokenClient - Client for CreateTokenDrv.
Usage: CreateTokenClient.exe [Options]
-h, --help : Displays this help message.
-c, --command : Specifies command to execute. Default is "cmd.exe".Journalists use OSINT to verify public information before publishing. In 2026, misinformation, AI-generated images, fake…
Docker is an open-source platform that lets you package and run applications inside containers. Each container…
PostgreSQL (often called Postgres) is an open-source relational database system. It supports advanced features like JSON…
Xrdp is an open-source server that lets you connect to your Ubuntu machine from another computer…
Apache Tomcat is an open-source web server and Java servlet container. It is one of the…
Keeping your Ubuntu system updated is one of the best ways to protect it. Security…