[Edit] looks like my initial assumption was wrong. If my understanding is correct, you need admin privileges to create the symlink... If the attacker already has admin privileges, you already own...
[Edit] looks like my initial assumption was wrong.
If my understanding is correct, you need admin privileges to create the symlink...
If the attacker already has admin privileges, you already own the system, why go through all these extra steps.
I'm not certain, but I think the key is readable/writable to all users, without admin privileges. Otherwise you're right, it wouldn't really be a privilege-escalation. There's a Powershell script...
I'm not certain, but I think the key is readable/writable to all users, without admin privileges. Otherwise you're right, it wouldn't really be a privilege-escalation.
[Edit] looks like my initial assumption was wrong.
If my understanding is correct, you need admin privileges to create the symlink...
If the attacker already has admin privileges, you already own the system, why go through all these extra steps.
I'm not certain, but I think the key is readable/writable to all users, without admin privileges. Otherwise you're right, it wouldn't really be a privilege-escalation.
There's a Powershell script here that's supposed to be a PoC for it: https://gist.github.com/enigma0x3/03f065be011c5980b96855e2741bf302
interesting, R_Sholes on reddit, posted a simple Walk Through but they uses Regln instead of the powershell script