Next: 4d: Syscalls
4c: Security Descriptors
This chapter is a security focused exercise that build upon the objects chapter.
Windows object security
Each securable object in windows has a security descriptor. Each security desciptor contains the owner SID, group SID DACL and SACL. The discretionary access control list (DACL) is a list of access control entries (ACEs) that control other SIS’s permission on the object. The system access control list (SACL) contains ACEs that define which kinds of access are logged.
In this way very detailed permissions can be set, ranging from “Paul can write to this file”: write permission on file object for user Paul to “Everyone can copy secret domain information”: replication-of-secret-domain-information permission on domain object for everyone.
The rest of this episode is unfortunately still work in progress. The idea is to find a permission that let’s us escalate privileges without stealing the full security token but instead just tuning our permissions a bit.