1 00:00:00,390 --> 00:00:00,840 All right. 2 00:00:00,870 --> 00:00:03,300 So on to the potato attacks. 3 00:00:03,540 --> 00:00:11,610 Now fox glove security is the blog of choice here as they release the full details on what the potato 4 00:00:11,610 --> 00:00:13,070 attacks are. 5 00:00:13,110 --> 00:00:15,870 Now if you're into the nerdy stuff I'm going to link this. 6 00:00:15,870 --> 00:00:21,030 You can come down here and read all the fine details on how they created this exploit and how it fully 7 00:00:21,030 --> 00:00:22,100 works. 8 00:00:22,200 --> 00:00:27,510 But what we really need to know at a high level is these top three things and really number three is 9 00:00:27,510 --> 00:00:28,940 what we're looking for. 10 00:00:28,950 --> 00:00:34,170 So it says hey to describe this at a high level we're gonna trick the authorities system account into 11 00:00:34,170 --> 00:00:38,210 authenticating visa and tell them to a DCP endpoint we control. 12 00:00:38,250 --> 00:00:38,550 All right. 13 00:00:38,550 --> 00:00:41,890 So we control a CPM point the man in the middle. 14 00:00:41,910 --> 00:00:47,850 This authentication attempt to locally negotiate a security token for the anti authority system account. 15 00:00:47,850 --> 00:00:54,780 This is done through a series of windows api calls last one impersonate the token that we've created. 16 00:00:54,780 --> 00:01:01,200 This can only be done if the attackers current account has the privilege to impersonate security tokens. 17 00:01:01,200 --> 00:01:06,070 This is usually true of most service accounts and not true of most user level accounts. 18 00:01:06,090 --> 00:01:14,090 So if you take control of a service account you might just have this impersonal token so let's take 19 00:01:14,090 --> 00:01:15,830 another look at this. 20 00:01:15,830 --> 00:01:17,450 This is juicy potato. 21 00:01:17,450 --> 00:01:20,330 It just says it's a sugared version of rotten potato. 22 00:01:20,330 --> 00:01:24,500 It's just another version of this and a another exploit. 23 00:01:24,500 --> 00:01:28,490 So again you're gonna come in here and you're gonna see Hey juicy potato. 24 00:01:28,490 --> 00:01:34,280 Well it's leveraging the SC impersonate or the SC assign primary token. 25 00:01:34,280 --> 00:01:36,980 These are the big things we need to be on the lookout for. 26 00:01:37,670 --> 00:01:43,490 So you're gonna see this come up quite a bit especially on Hack the box or those other CTF type machines 27 00:01:43,490 --> 00:01:47,750 where you're on it and you're just like Hey I'm gonna see if this is vulnerable I'm gonna check my probes 28 00:01:48,200 --> 00:01:50,420 and this could be just a quick game over. 29 00:01:50,420 --> 00:01:55,970 So you want to check these see if there's a vulnerability there and just get used to doing they get 30 00:01:55,970 --> 00:01:58,000 prints process or the the. 31 00:01:58,010 --> 00:01:58,580 Who am I. 32 00:01:58,570 --> 00:02:00,570 Slash prefers process. 33 00:02:00,620 --> 00:02:05,090 So from here now we're going to jump into hack the box. 34 00:02:05,090 --> 00:02:08,230 So what I want you to do is I'm going to come over here. 35 00:02:08,930 --> 00:02:13,340 I want you to go ahead and scan Jeeves and try to attack it. 36 00:02:13,370 --> 00:02:20,300 Now I fully believe that you should be able to get the low level user by yourself Jeeves is a great 37 00:02:20,300 --> 00:02:25,370 example of things that I actually see a lot in internal assessments. 38 00:02:25,460 --> 00:02:31,760 So I'll talk about that in the next video but very common attack that I see in internal assessments 39 00:02:31,760 --> 00:02:32,910 still to this day. 40 00:02:33,050 --> 00:02:35,650 And we'll talk about why it's bad why it's dangerous. 41 00:02:35,660 --> 00:02:38,550 And then we'll see how to escalate this box as well. 42 00:02:38,930 --> 00:02:44,120 So I will catch you over in the next video when we do the low level user walkthrough for Jeeves.