{"id":240,"date":"2022-07-11T01:46:26","date_gmt":"2022-07-11T01:46:26","guid":{"rendered":"https:\/\/www.davincivirus.com\/?p=240"},"modified":"2022-07-11T01:48:22","modified_gmt":"2022-07-11T01:48:22","slug":"potatoes","status":"publish","type":"post","link":"https:\/\/www.davincivirus.com\/?p=240","title":{"rendered":"Potatoes"},"content":{"rendered":"\n

A Black Hat 2015 presentation by James Forshaw began to mainstream a Windows privesc technique that abused SeAssignPrimaryToken\/SeImpersonate permissions; https:\/\/www.youtube.com\/watch?v=QRpfvmMbDMg. Proof of concept exploits that soon became publicly distributed included Rotten Potato, Juicy Potato, Print Spoofer, and more.<\/p>\n\n\n\n

\"\"
SeImpersonatePrivilege reliably provide a path for an attacker to attacker to gain SYSTEM level access.<\/figcaption><\/figure><\/div>\n\n\n\n

At its core, each of these exploits MITM’ed a handshake between the SYSTEM and an another process to gain access to a security token.<\/p>\n\n\n\n

\"\"
The MITM of a handshake occurs on the same machine, but MITM methodology is otherwise similar to the outline above.<\/figcaption><\/figure><\/div>\n\n\n\n

Armed with both (1) access to a privileged security token and (2) SeImpersonatePrivelege, an attacker can initiate a new process with increased privileges. <\/p>\n\n\n\n

\"\"
A reverse shell running under the IIS account (with SeImpersonatePrivelege) can employ this exploit to gain SYSTEM.<\/figcaption><\/figure>\n\n\n\n

See excellent detailed writeup: https:\/\/itm4n.github.io\/printspoofer-abusing-impersonate-privileges\/#impersonation-privileges<\/a><\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

A Black Hat 2015 presentation by James Forshaw began to mainstream a Windows privesc technique that abused SeAssignPrimaryToken\/SeImpersonate permissions; https:\/\/www.youtube.com\/watch?v=QRpfvmMbDMg.… Continue Reading<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/posts\/240"}],"collection":[{"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=240"}],"version-history":[{"count":4,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/posts\/240\/revisions"}],"predecessor-version":[{"id":248,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/posts\/240\/revisions\/248"}],"wp:attachment":[{"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=240"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=240"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=240"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}