- When a user is created, an identifier called Relative ID (RID) is assigned to them.
- The
RIDis simply a numeric identifier representing the user across the system. When a user logs on, theLSASSprocess gets itsRIDfrom theSAMregistry hive and creates an access token associated with thatRID. - If we can tamper with the registry value, we can make windows assign an Administrator access token to an unprivileged user by associating the same RID to both accounts.
- In any Windows system, the default Administrator account is assigned the
RID = 500, and regular users usually haveRID >= 1000.
wmic useraccount get name,sid
Name SID
Administrator S-1-5-21-1966530601-3185510712-10604624-500
DefaultAccount S-1-5-21-1966530601-3185510712-10604624-503
--snip--
- Now we only have to assign the
RID=500tojack. To do so, we need to access theSAMusingRegedit. TheSAMis restricted to theSYSTEMaccount only, so even theAdministratorwon't be able to edit it. To runRegeditasSYSTEM, we will usepsexec. PsExec64.exe -i -s regeditFrom Regedit, we will go to:HKLM\SAM\SAM\Domains\Account\Users\- We need to search for a key with its
RIDin hex(1010 = 0x3F2). Under the corresponding key, there will be a value calledF, which holds the user's effectiveRIDat position0x30:
- Notice the RID is stored using little-endian notation, so its bytes appear reversed.
- We will now replace those two bytes with the RID of Administrator in hex (500 = 0x01F4), switching around the bytes (F401):
