Impersonation and Potato Attacks - Jeeves Box

Token Impersonation Overview

---

Impersonation Privileges Overview

---

In this scenario we dropped into a shell with admin privilege.

We are now talking about SeImpersonatePrivilege > Which is really really bad !!!

Windows - Privilege Escalation - Internal All The Things

https://github.com/gtworek/Priv2Admin

---

There are many more of these attack vectors which can be used to leverage !!!

---

Potato Attacks Overview

---

Rotten Potato - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/

Juicy Potato - https://github.com/ohpe/juicy-potato

---

Based on the Learnings now we are going to solve a HTB Box :

Jeeves ( HTB Machine)

---

Gaining a Foothold (Box 4)

---

From our Nmap results we got > PORT 80/ 135/ 50000/ 445/tcp

---

We are moving forward with 445 > SMB because there are more chances of vulnerabilities !!!

---

PORT 80/

---

Next PORT 80/50000

---

We are going to run dirbuster& for PORT 80/50000

We can perform this via the terminal as well !!!

---

We find /askjeeves

We find Groovy Script > groovy reverse shell

Boom we got it !! But we need to have a higher level of Privilege so let's continue.

Then run this :

---

We gonna get valuable information out of it :::

We can clearly see RottenPotato / hot-potato / and a few more !!! We can also run linpeas to kind of get the same results !

After this we gonna start up with Metasploit

We set everything : then hit "run"

---

What we did here is > In our previous shell which we got via Jenkins Reverse Shell > We set up a listener and got the shell access right : We are now escalating this

Over here we need to paste the output which we got after running Metasploit Payload !

This is what I am talking about !!

---

Now we have the low level Privilege Escalation >

---

We are now checking this for the known exploit suggestions

---

Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM

---

---

---

---

---

It asked to look deeper So we gradually looked for alternate data streams : XD )

---

HTB Jeeves (Box 4): Vulnerabilities Exploited

---

🔹 1. Jenkins Groovy Console RCE

Vulnerability:

Remote Code Execution (RCE) via unauthenticated access to Jenkins Script Console.

Why It's Vulnerable:

• Jenkins exposed a Groovy script console (/askjeeves) accessible without proper access controls.
• This allowed the attacker to run arbitrary system commands or launch a reverse shell directly.

Summary (already discussed):

• Discovered /askjeeves via DirBuster on port 50000.
• Injected Groovy reverse shell payload.
• Gained a low-privileged reverse shell.

---

🔹 2. SeImpersonatePrivilege + Juicy Potato

Vulnerability:

Local Privilege Escalation via SeImpersonatePrivilege abuse using the Juicy Potato exploit.

Why It's Vulnerable:

• The compromised user had SeImpersonatePrivilege (verified via whoami /priv).
• This Windows privilege allows the user to impersonate the token of a higher-privileged process using COM services.
• Juicy Potato exploits this to spawn a shell as NT AUTHORITY\SYSTEM.

Summary (already discussed):

• You ran JuicyPotato.exe from your low-privileged shell.

• Parameters included:

  JuicyPotato.exe -l 1337 -p cmd.exe -t *
  

• Resulted in SYSTEM shell access.