JuicyPotato
You can download juicypotato from https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts
Juicy Potato (abusing the golden privileges)
A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM
Summary
RottenPotatoNG and its variants leverages the privilege escalation chain based on BITS
service having the MiTM listener on 127.0.0.1:6666
and when you have SeImpersonate
or SeAssignPrimaryToken
privileges. During a Windows build review we found a setup where BITS
was intentionally disabled and port 6666
was taken.
We decided to weaponize RottenPotatoNG: Say hello to Juicy Potato.
For the theory, see Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM and follow the chain of links and references.
We discovered that, other than BITS
there are a several COM servers we can abuse. They just need to:
be instantiable by the current user, normally a “service user” which has impersonation privileges
implement the
IMarshal
interfacerun as an elevated user (SYSTEM, Administrator, …)
After some testing we obtained and tested an extensive list of interesting CLSID’s on several Windows versions.
Juicy details
JuicyPotato allows you to:
Target CLSID pick any CLSID you want. Here you can find the list organized by OS.
COM Listening port define COM listening port you prefer (instead of the marshalled hardcoded 6666)
COM Listening IP address bind the server on any IP
Process creation mode depending on the impersonated user’s privileges you can choose from:
CreateProcessWithToken
(needsSeImpersonate
)CreateProcessAsUser
(needsSeAssignPrimaryToken
)both
Process to launch launch an executable or script if the exploitation succeeds
Process Argument customize the launched process arguments
RPC Server address for a stealthy approach you can authenticate to an external RPC server
RPC Server port useful if you want to authenticate to an external server and firewall is blocking port
135
…TEST mode mainly for testing purposes, i.e. testing CLSIDs. It creates the DCOM and prints the user of token. See here for testing
Usage
Final thoughts
If the user has SeImpersonate
or SeAssignPrimaryToken
privileges then you are SYSTEM.
It’s nearly impossible to prevent the abuse of all these COM Servers. You could think about modifying the permissions of these objects via DCOMCNFG
but good luck, this is gonna be challenging.
The actual solution is to protect sensitive accounts and applications which run under the * SERVICE
accounts. Stopping DCOM
would certainly inhibit this exploit but could have a serious impact on the underlying OS.
From: http://ohpe.it/juicy-potato/
Examples
Get a nc.exe reverse shell
Powershell rev
Launch a new CMD (if you have RDP access)
CLSID Problems
If you can't find any working CLSID you should visit this page:
There you can find some CLSID that you could use instead of the default one to privesc.
You could also try to find other working CLSID.
Checking CLSIDs
First, you will need some executables apart from juicypotato.exe.
Download Join-Object.ps1 and load it into your PS session, and download and execute GetCLSID.ps1. That script will create a list of possible CLSIDs to test.
Then download test_clsid.bat (change the path to the CLSID list and to the juicypotato executable) and execute it. It will start trying every CLSID, and when the port number changes, it will mean that the CLSID worked.
Check the working CLSIDs using the parameter -c
Last updated