search

πŸ”„Communication with Processes

hashtag
🎯 Overview

Process communication analysis focuses on identifying privilege escalation opportunities through running services and inter-process communication. Processes running with elevated privileges, especially those accessible via network services or named pipes, can provide direct escalation paths.

hashtag
πŸ”‘ Access Tokens

hashtag
Concept

  • Access tokens describe the security context of processes/threads

  • Contain user identity and privilege information

  • Token presentation occurs with every process interaction

  • Token inheritance from parent processes

Key Token Privileges:

  • SeImpersonatePrivilege - Rogue/Juicy/Lonely Potato attacks

  • SeAssignPrimaryTokenPrivilege - Token manipulation

  • SeDebugPrivilege - Process debugging and memory access

hashtag
🌐 Network Service Enumeration

hashtag
Active Connections Analysis

hashtag
Target Service Categories

🎯 High-Value Services:

  • Port 21 - FTP (FileZilla Server)

  • Port 80/8080 - Web servers (IIS, XAMPP, Tomcat)

  • Port 3389 - RDP

  • Port 5985/5986 - WinRM

  • Port 1433 - MSSQL

πŸ” Localhost-Only Services:

hashtag
Service-to-Process Mapping

hashtag
πŸ”„ Named Pipes

hashtag
Concept

  • Named pipes enable inter-process communication via shared memory

  • Client-server model - creator is server, communicator is client

  • Communication types:

    • Half-duplex - One-way (client β†’ server)

    • Full-duplex - Two-way communication

hashtag
Named Pipe Enumeration

hashtag
Using Pipelist (Sysinternals)

hashtag
Using PowerShell

hashtag
Named Pipe Security Analysis

hashtag
Permission Enumeration with AccessChk

hashtag
Dangerous Permission Patterns

hashtag
🚨 Common Attack Vectors

hashtag
Web Server Exploitation

Scenario: IIS/XAMPP running as privileged user

hashtag
FileZilla Server Attack

Scenario: Admin interface on localhost:14147

hashtag
Splunk Universal Forwarder

Scenario: Default configuration without authentication

  • Default behavior: Runs as SYSTEM

  • Attack method: Deploy malicious applications

  • Impact: Direct SYSTEM-level code execution

hashtag
Named Pipe Privilege Escalation

Example: WindscribeService vulnerability

hashtag
🎯 HTB Academy Lab Solutions

hashtag
Lab Environment

  • Target: 10.129.43.43 (ACADEMY-WINLPE-SRV01)

  • Credentials: htb-student:HTB_@cademy_stdnt!

  • Tools: C:\Tools\AccessChk\

hashtag
Question 1: Service on Port 21

Objective: Identify service listening on 0.0.0.0:21

Solution Steps:

Answer: filezilla server

hashtag
Question 2: WRITE_DAC Privileges on Named Pipe

Objective: Find account with WRITE_DAC over \pipe\SQLLocal\SQLEXPRESS01

Solution Steps:

Answer: NT Service\MSSQL$SQLEXPRESS01

hashtag
πŸ” Attack Pattern Recognition

hashtag
Network Service Indicators

hashtag
Named Pipe Red Flags

hashtag
Service Context Analysis

hashtag
πŸ“‹ Process Communication Checklist

hashtag
Network Services

hashtag
Named Pipes

hashtag
Attack Surface Assessment

hashtag
πŸ’‘ Key Takeaways

  1. Network services running as privileged users provide direct escalation paths

  2. Localhost-only services often lack security controls

  3. Named pipes with excessive permissions enable privilege escalation

  4. Web servers with SeImpersonatePrivilege lead to SYSTEM access

  5. Default configurations frequently contain security weaknesses

  6. Service context matters - identify which user runs each service

Process communication analysis reveals privilege escalation opportunities through network services and inter-process communication vulnerabilities.

PreviousInitial EnumerationNextSeImpersonate & SeAssignPrimaryToken

Last updated