Skip to content
/ windows-jail Public

simple windows jail. to simulate runas /trustlevel and /user with pipeline to redirect stdout. just for fun.no guarantee.Since once you get shell for windows,you can shutdown or taskkill the process.maybe this project can be used for ctf game as windows pwn environment?

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

fjh1997/windows-jail

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits

RestrictShutdown.cpp

RestrictShutdown.cpp

 
 

RestrictShutdown.vcxproj

RestrictShutdown.vcxproj

 
 

readme.md

readme.md

 
 

runasuser.cpp

runasuser.cpp

 
 

runasuser.vcxproj

runasuser.vcxproj

 
 

Repository files navigation

windows-jail

simple windows jail. to simulate runas /trustlevel and /user with pipeline to redirect stdout. just for fun.no guarantee.Since once you get shell for windows,you can shutdown or taskkill the process.maybe this project can be used for ctf game as windows pwn environment?

# run powershell as admin
# add user jail
net user jail jail /add
mkdir C:\Users\jail
# deny jail to read all files except files which disable inheritance(usually system folder like windows,Program Files (x86),etc)
icacls  d:\ /deny "jail:(OI)(CI)f"
icacls  c:\ /deny "jail:(OI)(CI)f"
icacls  e:\ /deny "jail:(OI)(CI)f"

#you can use command below to find out folders not effected by inheritance.Also it’s important to note that if the explicit permissions allow access, then the inherited permissions will never be checked.

dir c:\ -Directory -recurse|get-acl|where { $_.AreAccessRulesProtected}|select @{Name="Path" ;Expression={Convert-Path $_.Path}},AreAccessRulesProtected|format-table

# enable jail to read some programs and folders (for example python)
icacls "C:\Users\Administrator\AppData\Local\Programs\Python\Python310\" /grant "jail:(OI)(CI)(RX)"
icacls "C:\Users\Administrator\AppData\Local\Programs\Python\Python310\" /grant "Users:(OI)(CI)(RX)" #privilige of users group is need if in constrain mode.

# compaile programs to make jail
git clone https://github.com/fjh1997/windows-jail.git
cd windows-jail
msbuild RestrictShutdown.vcxproj
msbuild runasuser.vcxproj
cd telegram-evil-bot\bin-v143\x64\Debug
# run powershell as user jail with restrict permission,abolute path is needed
runasuser.exe jail jail  RestrictShutdown.exe  C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe

further works

I was thinking, create a user group, only grant read access to c:, Windows directory and other required folders to this user group, use SetTokenInformation(TokenGroups) to add the sid of this user group to the token of the process, use CreateRestrictedToken(UserGroup ) to restrict the process to this user group, is it simple to achieve the storage isolation of the process. Windows ACL check will check twice, the second time specifically to check if it is in the group being restricted.

restricted-tokens safercomputetokenfromlevel

About

simple windows jail. to simulate runas /trustlevel and /user with pipeline to redirect stdout. just for fun.no guarantee.Since once you get shell for windows,you can shutdown or taskkill the process.maybe this project can be used for ctf game as windows pwn environment?

Topics

windows sandbox pwn ctf

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 Latest
Mar 16, 2023

Packages

No packages published

Languages