Potatoes

July 11, 2022 0 By Ryan Barger

A Black Hat 2015 presentation by James Forshaw began to mainstream a Windows privesc technique that abused SeAssignPrimaryToken/SeImpersonate permissions; https://www.youtube.com/watch?v=QRpfvmMbDMg. Proof of concept exploits that soon became publicly distributed included Rotten Potato, Juicy Potato, Print Spoofer, and more.

SeImpersonatePrivilege reliably provide a path for an attacker to attacker to gain SYSTEM level access.

At its core, each of these exploits MITM’ed a handshake between the SYSTEM and an another process to gain access to a security token.

The MITM of a handshake occurs on the same machine, but MITM methodology is otherwise similar to the outline above.

Armed with both (1) access to a privileged security token and (2) SeImpersonatePrivelege, an attacker can initiate a new process with increased privileges.

A reverse shell running under the IIS account (with SeImpersonatePrivelege) can employ this exploit to gain SYSTEM.

See excellent detailed writeup: https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/#impersonation-privileges

CategoryUncategorized

Leave a Reply