JuicyPotato/RottenPotato
Last updated
Last updated
If an user account you control has the SEImpersonate token (which most service accounts have), then you can get root.
Note: This exploit was effectively patched in Win10 1809 and Windows Server 2019. RoguePotato came out after that and I don't know if/when it was patched. SweetPotato aims to combine various *potato exploits into one script for easy exploitation.
If your user has SeImpersonate or SeAssignPrimaryToken privileges then you are effectively SYSTEM. Normal users don’t usually have these, but service-level users might. You can check this with whoami /all
under "Privileges".
You also need to be able to call a DCOM service, which:
implements the IMarshal interface
runs as an elevated user (SYSTEM, Administrator, ...)
Normally this is port 6666, but there are other such services, in case that one is blocked.
Every process has an access token, which specifies, what kinds of actions you can take. With the right privileges, Windows allows you to impersonate tokens for identification or for doing actions on another user’s behalf.
There are basically two kinds of impersonation tokens:
Delegate/impersonate - these allow you to perform actions
Identify/anonymous - for identification, don’t allow you to perform actions.
If you can get a delegate/impersonate impersonated access token with SYSTEM rights, then you can perform actions as SYSTEM.
How RottenPotato works at a high level:
Trick the “NT AUTHORITY\SYSTEM” account into authenticating via NTLM to a TCP endpoint we control.
Man-in-the-middle this authentication attempt (NTLM relay) to locally negotiate a security token for the “NT AUTHORITY\SYSTEM” account. This is done through a series of Windows API calls.
Impersonate the token we have just negotiated. This can only be done if the attackers current account has the privilege to impersonate security tokens. This is usually true of most service accounts and not true of most user-level accounts.
First of all, download the juicypotato executable. If the official release isn't working, try an x86 version.
You're going to need something for JuicyPotato to execute when it finishes successfully. For example, you could generate a reverse shell.
Listen for the reverse shell on your machine:
On the victim machine, execute juicypotato (in this case the x86 variant):
You're probably going to need to test multiple CLSIDs before you get a working one. Here is a list of CLSIDs to try.
For example, in the hackthebox "devel" machine, this was the successful exploit (my reverse.exe was in the inetpub/wwwroot directory):
Alternatively, you can use it with a static ncat.exe file: