xct's notes
Search…
Windows

Named Pipes

Named Pipes are a remotely accessible, socket-like interface. Use IONinja to inspect traffic.

Resources

FeedbackHub

1
C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe
Copied!
Is a WinRT app, we have dlls and .winmd files. The .winmd files can be loaded into dnSpy, the dlls in Ida, which gives some type information.

Path Redirection without Controlling File Contents

DoS: We can write to C:\Windows\System32\en\Microsoft.Windows.Common-Controls.DLL , which will prevent windows from booting.

DACL

Consist of a series of ACE (Access Control Entities). Order matters (first match principle). Stored in SDDL format:
1
ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid
Copied!
Example:
1
(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-1-0)
2
3
AceType:
4
A = ACCESS_ALLOWED_ACE_TYPE
5
Access rights:
6
RP = ADS_RIGHT_DS_READ_PROP
7
WP = ADS_RIGHT_DS_WRITE_PROP
8
CC = ADS_RIGHT_DS_CREATE_CHILD
9
DC = ADS_RIGHT_DS_DELETE_CHILD
10
LC = ADS_RIGHT_ACTRL_DS_LIST
11
SW = ADS_RIGHT_DS_SELF
12
RC = READ_CONTROL
13
WD = WRITE_DAC
14
WO = WRITE_OWNER
15
GA = GENERIC_ALL
16
17
Ace Sid:
18
S-1-1-0
Copied!
In an AD environment we can use PowerViews Get-ObjectAcl -Identity ... to view the ACLs (in a more readable format, use ConvertFrom-SID to get names from SIDs).

Tools

Last modified 11mo ago