The password does not need to be anonymous and can actually be anything.Īfter successfully logging in and establishing an anonymous session, we can test using the put command to upload our test.txt file onto the FTP server.Īwesome! We were able to upload our file onto the FTP server. Now that we have that ready, we can connect to the FTP server and login using the credentials anonymous : anonymous. This will provide our POC when we try to open the file on the web server from the browser. If we can write in the FTP server, we will likely be able to exploit this to get a reverse shell quite easily.īefore we log into the FTP server, we need to craft a TXT file that we can test uploading to the FTP server. This means that the FTP server is likely running out of the webroot!Īt this point, the first thing we should do is try logging into the FTP server anonymously and test if we have the ability to write in it. Reviewing this nmap scan, we can also see that the files in the FTP server look like they belong to the web server. We can also see there is an IIS web server running on port 80: nmap -A -sV -sC -T4 172.16.1.50 -p-oN tcp.nmap Running the following nmap scan, we can observe that FTP is open on port 21 and allows anonymous access. We will take advantage of this misconfiguration to create an exploit chain that allows us to get a reverse shell from the web server and as a result, a foothold as the built-in Internet Information Services (IIS) service account: iisapppool. To add some context to this post, we will quickly review an example scenario that involves a misconfigured FTP server. Lets find out! Scenario: Gaining a Foothold Exploiting a Misconfigured Web Server / FTP Server With an understanding of what this privileges allows us to do, we as an attacker need to think: “What are the required conditions to impersonate an administrative account when the SeImperonsate privilege is enabled?” Whenever a user authenticates to a host, a token (logon sessions inside the LSASS process) resides on the system until the next restart. This means that this privilege allows the account to impersonate other accounts, so long as they have authenticated. From there, we will enumerate the account’s permissions to find that it has SeImpersonatePrivilege enabled, which we will utilize to escalate our privileges to local SYSTEM by performing a Potato attack with JuicyPotato.exe.Īdditionally, we will go over how we can perform this exploit using the Juicy Potato module in Metasploit.įinally, we will see how we can abuse the SeImpersonate privilege using two additional tools: Rogue Potato and PrintSpoofer to obtain a SYSTEM shell on a Server 2019 machine.īy default, members of the local Administrators group as well as any local Service accounts are assigned the “Impersonate a client after authentication” user right (SeImpersonatePrivilege).Īn account that has the SeImpersonate privilege enabled has the ability to impersonate another client after authentication. We will begin by reviewing a scenario where we will obtain a foothold on a Windows 10 machine as the iisapppool service account after exploiting a misconfigured FTP server. In this post we will be exploring multiple techniques that can be used to abuse the SeImpersonate privilege. Want to stay up to date with the latest hacks?.Abusing SeImpersonatePrivilege: RoguePotato.exe.Impersonating the Local SYSTEM Account with Rogue Potato.Abusing SeImpersonatePrivilege: PrintSpoofer.exe.Impersonating the Local SYSTEM Account with PrintSpoofer.Abusing SeImpersonatePrivilege: Metasploit Module.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |