Awesome

awesome_windows_logical_bugs

Created this repo for the people who want to learn about windows logical privilege escalation bugs. <br>And also I added some of my findings. You can contact me via @404death to add good article which I missed. <br> work in progress (WIP) , I'm always update this repo when the new bugs release. <br>

Escalation of Privileges (Vulnerabilities and Other Research):

• Windows logical EoP Bugs

Privileged File Operations Bugs To SYSTEM shell (Techniques):

• Arbitrary Directory Deletion to SYSTEM shell
• Arbitrary File create/write to SYSTEM shell
• Arbitrary Directory creation to SYSTEM shell

Service account to SYSTEM privilege (Token Impersonation) :

• service2system Privileged access

Tools:

• James Forshaw’s purpose-built tools & libraries
  • https://github.com/googleprojectzero/symboliclink-testing-tools
  • https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools
• Windows built-in tools (powershell, cmd, filesystem utilities)
• SysInternals

Research by James Forshaw / Google Project Zero

• https://googleprojectzero.blogspot.com/2015/08/windows-10hh-symbolic-link-mitigations.html
• https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html
• https://googleprojectzero.blogspot.com/2016/02/the-definitive-guide-on-win32-to-nt.html
• https://googleprojectzero.blogspot.com/2017/08/windows-exploitation-tricks-arbitrary.html
• https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html
• https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20James%20Forshaw%20-%20A%20Link%20to%20the%20Past.pdf
• https://vimeo.com/133002251

Thank to:

@tiraniddo @SandboxBear @jonasLyk @itm4n @decoder_it @enigma0x3 @padovah4ck @clavoillotte @PsiDragon @edwardzpeng

suggestion : If you want to deep dive about windows, go first to Windows Internal ebook