RID Hijacking
Overview
When a user is created, an identifier called Relative ID (RID) is assigned to them.
The
RID
is simply a numeric identifier representing the user across the system. When a user logs on, theLSASS
process gets itsRID
from theSAM
registry hive and creates an access token associated with thatRID
.If we can tamper with the registry value, we can make windows assign an Administrator access token to an unprivileged user by associating the same RID to both accounts.
In any Windows system, the default Administrator account is assigned the
RID = 500
, and regular users usually haveRID >= 1000
.
Now we only have to assign the
RID=500
tojack
. To do so, we need to access theSAM
usingRegedit
. TheSAM
is restricted to theSYSTEM
account only, so even theAdministrator
won't be able to edit it. To runRegedit
asSYSTEM
, we will usepsexec
.PsExec64.exe -i -s regedit
From Regedit, we will go to:HKLM\SAM\SAM\Domains\Account\Users\
We need to search for a key with its
RID
in hex(1010 = 0x3F2)
. Under the corresponding key, there will be a value calledF
, which holds the user's effectiveRID
at position0x30
:
Notice the RID is stored using little-endian notation, so its bytes appear reversed.
We will now replace those two bytes with the RID of Administrator in hex (500 = 0x01F4), switching around the bytes (F401):
Last updated