1/4

ohpe

Juicy Potato (abusing the golden privileges)
github.com/ohpe/juicy-potato

A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege
Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM

Summary

RottenPotatoNG and its variants leverages the privilege escalation chain based on BITS
service having the MiTM listener on 127.0.0.1:6666  and when you have
SeImpersonate  or SeAssignPrimaryToken  privileges. During a Windows build review we

found a setup where BITS  was intentionally disabled and port 6666  was taken.

We decided to weaponize RottenPotatoNG: Say hello to Juicy Potato.

For the theory, see Rotten Potato - Privilege Escalation from Service Accounts to
SYSTEM and follow the chain of links and references.

We discovered that, other than BITS  there are a several COM servers we can abuse. They
just need to:

1. be instantiable by the current user, normally a "service user" which has impersonation
privileges

2. implement the IMarshal  interface
3. run as an elevated user (SYSTEM, Administrator, ...)

https://github.com/ohpe/juicy-potato
https://github.com/breenmachine/RottenPotatoNG
https://github.com/breenmachine/RottenPotatoNG
https://github.com/decoder-it/lonelypotato
https://msdn.microsoft.com/en-us/library/windows/desktop/bb968799(v=vs.85).aspx
https://github.com/breenmachine/RottenPotatoNG/blob/4eefb0dd89decb9763f2bf52c7a067440a9ec1f0/RottenPotatoEXE/MSFRottenPotato/MSFRottenPotato.cpp#L126
https://github.com/breenmachine/RottenPotatoNG
https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/


2/4

After some testing we obtained and tested an extensive list of interesting CLSID's on several
Windows versions.

Juicy details

JuicyPotato allows you to:

Target CLSID
 pick any CLSID you want. Here you can find the list organized by OS.

COM Listening port
 define COM listening port you prefer (instead of the marshalled hardcoded 6666)

COM Listening IP address
 bind the server on any IP

Process creation mode
 depending on the impersonated user's privileges you can choose from:

CreateProcessWithToken  (needs SeImpersonate )
CreateProcessAsUser  (needs SeAssignPrimaryToken )
both

Process to launch
 launch an executable or script if the exploitation succeeds

Process Argument
 customize the launched process arguments

RPC Server address
 for a stealthy approach you can authenticate to an external RPC server

RPC Server port
 useful if you want to authenticate to an external server and firewall is blocking port

135 ...

TEST mode
 mainly for testing purposes, i.e. testing CLSIDs. It creates the DCOM and prints the

user of token. See here for testing

Usage

https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md
https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md
https://github.com/ohpe/juicy-potato/blob/master/Test/README.md


3/4

Example

Final thoughts

If the user has SeImpersonate  or SeAssignPrimaryToken  privileges then you are
SYSTEM.

It's nearly impossible to prevent the abuse of all these COM Servers. You could think to
modify the permissions of these objects via DCOMCNFG  but good luck, this is gonna be
challenging.

T:\>JuicyPotato.exe 
JuicyPotato v0.1 

Mandatory args: 
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try 
both 
-p <program>: program to launch 
-l <port>: COM server listen port 

Optional args: 
-m <ip>: COM server listen address (default 127.0.0.1) 
-a <argument>: command line argument to pass to program (default NULL) 
-k <ip>: RPC server ip address (default 127.0.0.1) 
-n <port>: RPC server listen port (default 135) 
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097}) 
-z only test CLSID and print token's user 

https://github.com/ohpe/juicy-potato/blob/master/assets/poc.png


4/4

The actual solution is to protect sensitive accounts and applications which run under the *
SERVICE  accounts. Stopping DCOM  would certainly inhibit this exploit but could have a
serious impact on the underlying OS.

Binaries buildbuild passingpassing

An automatic build is available. Binaries can be downloaded from the Artifacts section here.

Also available in BlackArch.

Authors

Andrea Pierini
Giuseppe Trotta

References

https://ci.appveyor.com/project/ohpe/juicy-potato
https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts
https://blackarch.org/
https://twitter.com/decoder_it
https://twitter.com/Giutro