Juicy Potato is a sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.
RottenPotatoNG and its variants leverages the privilege escalation chain based on BITS
service having the MiTM listener on 127.0.0.1:6666
and when you have SeImpersonate
or SeAssignPrimaryToken
privileges. During a Windows build review we found a setup where BITS
was intentionally disabled and port 6666
was taken.
We decided to weaponize RottenPotatoNG: Say hello to Juicy Potato.
For the theory, see Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM and follow the chain of links and references.
We discovered that, other than BITS
there are a several COM servers we can abuse. They just need to:
IMarshal
interfaceAfter some testing we obtained and tested an extensive list of interesting CLSID’s on several Windows versions.
JuicyPotato allows you to:
CreateProcessWithToken
(needs SeImpersonate
)CreateProcessAsUser
(needs SeAssignPrimaryToken
)both
135
…T:>JuicyPotato.exe
JuicyPotato v0.1
Mandatory args:
-t createprocess call: CreateProcessWithTokenW, CreateProcessAsUser, <*> try both
-p : program to launch
-l : COM server listen port
Optional args:
-m : COM server listen address (default 127.0.0.1)
-a : command line argument to pass to program (default NULL)
-k : RPC server ip address (default 127.0.0.1)
-n : RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token’s user
If the user has SeImpersonate
or SeAssignPrimaryToken
privileges then you are SYSTEM.
It’s nearly impossible to prevent the abuse of all these COM Servers. You could think to modify the permissions of these objects via DCOMCNFG
but good luck, this is gonna be challenging.
The actual solution is to protect sensitive accounts and applications which run under the * SERVICE
accounts. Stopping DCOM
would certainly inhibit this exploit but could have a serious impact on the underlying OS.
Also Read – Dr_Robot : Tool Used To Enumerate The Subdomains Associated With A Company
This repository contains tools created by yogSahare0 while learning Python 3 for ethical hacking and penetration testing.…
"NetSecChallenger" provides a suite of automated tools designed for security professionals and network administrators to…
The essential tool for cybersecurity enthusiasts! This guide provides a detailed walkthrough on how to…
Meet "Poodone," the ultimate Python script designed for cybersecurity enthusiasts and professionals alike. Packed with…
The Linux version is no longer supported! The last Linux version is 6.0 that you…
Jin is a hacking command-line tools designed to make your scan port, gathering urls, check…