RustPotato: privilege escalation tool
RustPotato is a Rust-based implementation of GodPotato, a privilege escalation tool that abuses DCOM and RPC to leverage SeImpersonatePrivilege and gain NT AUTHORITY\SYSTEM privileges on Windows systems.
Key Features
-
TCP-based Reverse Shell:
RustPotato features a TCP-based reverse shell based on Rustic64Shell. It leverages Winsock APIs for network communication and indirect NT APIs for pipe-based I/O redirection, enabling command execution throughcmdorpowershell. -
Indirect NTAPI:
RustPotato leverages indirect NTAPI calls for various operations, including token handling and manipulation.
Overview
Below is an overview of its execution flow, highlighting key operations at each step:
1. Initialize and Hook RPC Context
-
Locate
RPC_SERVER_INTERFACEStructure:
The tool scans the memory ofcombase.dllto find theRPC_SERVER_INTERFACEstructure, a critical component for managing RPC communications through the OXID Resolver. -
Hook RPC Dispatch Table:
RustPotato replaces the first entry in theRPC_DISPATCH_TABLEwith a custom function pointer, enabling interception and manipulation of specific RPC calls.
2. Start Named Pipe Server and Trigger RPCSS
The named pipe server plays a central role in impersonation and privilege escalation:
-
Create Named Pipe:
A named pipe (e.g.,\\.\pipe\RustPotato) is created with unrestricted access, serving as the endpoint for client connections. -
Unmarshal COM Object:
RustPotato crafts and unmarshals a COM object, compelling RPCSS to establish a connection with the named pipe. -
Trigger RPCSS:
The unmarshalled object invokes RPC calls that traverse the hooked dispatch table, allowing RustPotato to intercept and manipulate the interactions. -
Impersonate Client:
When RPCSS connects to the named pipe, RustPotato impersonates the client usingImpersonateNamedPipeClientto assume its security context. -
Retrieve SYSTEM Token:
During impersonation, RustPotato locates and duplicates a token associated with theNT AUTHORITY\SYSTEMaccount.
3. Execute Command or Establish Reverse Shell
-
Execute a Command:
RustPotato uses the duplicated token to execute a specified command, leveragingCreateProcessWithTokenW. -
Establish a Reverse Shell:
With reverse shell options (-hand-p), RustPotato connects to a listener and executes commands throughcmdorpowershell.
4. Restore State and Cleanup
-
Restore RPC Dispatch Table:
Removes the custom function pointer from theRPC_DISPATCH_TABLEand restores the original state incombase.dll. -
Terminate Pipe Server:
Stops the named pipe server, releasing all associated resources and handles.
