![potato mush client automatic logging potato mush client automatic logging](https://securityonline.info/wp-content/uploads/2019/03/poc.png)
![potato mush client automatic logging potato mush client automatic logging](https://brill.com/cover/covers/9789004461840.jpg)
Interestingly, of the 3 default service user accounts present in Windows, both Local Service and Network Service have this privilege, specifically SeImpersonate. This is true for admin accounts running under High integrity process, but not for normal user accounts. The other requirement is that the account you have a shell in must have token impersonation rights. When you see NT AUTHORITY\SYSTEM under the list of available tokens to impersonate it means you can get to SYSTEM. This is usually true of most service accounts and not true of most user-level accounts.įor step 3, token impersonation can be done manually with incognito, as shown in previous labs. This can only be done if the attackers current account has the privilege to impersonate security tokens.
#Potato mush client automatic logging series
This is done through a series of Windows API calls. Man-in-the-middle this authentication attempt (NTLM relay) to locally negotiate a security token for the “NT AUTHORITY\SYSTEM” account.
![potato mush client automatic logging potato mush client automatic logging](https://digitalanarchy.com/blog/wp-content/uploads/export-1-1024x378.jpg)
Trick the “NT AUTHORITY\SYSTEM” account into authenticating via NTLM to a TCP endpoint we control.It started with the Rotten Potato exploit in 2016 where the exploit This is where I stumbled a family of exploits. Apart from kernel exploits and PsExec, do I have a way to get to SYSTEM? There’s also the issue that when escalating from an administrator account to SYSTEM I would typically use PsExec, and bypass UAC, spawn a High integrity shell if needed beforehand. Out of these, just DLL hijacking (which requires GUI) and unquoted service paths are non-kernel priv escs methods. In the Windows boxes I have done, privilege escalation is either typically not needed or Kernel exploits are used.