# Juicy Potato (abusing the golden privileges) **github.com/ohpe/juicy-potato** ohpe _[A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege](https://github.com/breenmachine/RottenPotatoNG)_ **_Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM_** ## Summary [RottenPotatoNG and its](https://github.com/breenmachine/RottenPotatoNG) [variants leverages the privilege escalation chain based on BITS](https://github.com/decoder-it/lonelypotato) [service having the MiTM listener on](https://github.com/breenmachine/RottenPotatoNG/blob/4eefb0dd89decb9763f2bf52c7a067440a9ec1f0/RottenPotatoEXE/MSFRottenPotato/MSFRottenPotato.cpp#L126) `127.0.0.1:6666 and when you have` ``` SeImpersonate or SeAssignPrimaryToken privileges. During a Windows build review we ``` found a setup where `BITS was intentionally disabled and port` `6666 was taken.` [We decided to weaponize RottenPotatoNG: Say hello to Juicy Potato.](https://github.com/breenmachine/RottenPotatoNG) For the theory, see Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM and follow the chain of links and references. We discovered that, other than `BITS there are a several COM servers we can abuse. They` just need to: 1. be instantiable by the current user, normally a "service user" which has impersonation privileges 2. implement the `IMarshal interface` 3. run as an elevated user (SYSTEM, Administrator, ...) ----- [After some testing we obtained and tested an extensive list of interesting CLSID s on several](https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md) Windows versions. ## Juicy details JuicyPotato allows you to: **Target CLSID** _[pick any CLSID you want. Here you can find the list organized by OS.](https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md)_ **COM Listening port** _define COM listening port you prefer (instead of the marshalled hardcoded 6666)_ **COM Listening IP address** _bind the server on any IP_ **Process creation mode** _depending on the impersonated user's privileges you can choose from:_ ``` CreateProcessWithToken (needs SeImpersonate ) CreateProcessAsUser (needs SeAssignPrimaryToken ) both ``` **Process to launch** _launch an executable or script if the exploitation succeeds_ **Process Argument** _customize the launched process arguments_ **RPC Server address** _for a stealthy approach you can authenticate to an external RPC server_ **RPC Server port** _useful if you want to authenticate to an external server and firewall is blocking port_ ``` 135 ... ``` **TEST mode** _mainly for testing purposes, i.e. testing CLSIDs. It creates the DCOM and prints the_ _user of token. See_ _[here for testing](https://github.com/ohpe/juicy-potato/blob/master/Test/README.md)_ ## Usage ----- ``` T:\>JuicyPotato.exe JuicyPotato v0.1 Mandatory args: -t createprocess call: CreateProcessWithTokenW, CreateProcessAsUser, <*> try both -p : program to launch -l : COM server listen port Optional args: -m : COM server listen address (default 127.0.0.1) -a : command line argument to pass to program (default NULL) -k : RPC server ip address (default 127.0.0.1) -n : RPC server listen port (default 135) -c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097}) -z only test CLSID and print token's user ## Example Final thoughts ``` If the user has `SeImpersonate or` `SeAssignPrimaryToken privileges then you are` **SYSTEM.** It's nearly impossible to prevent the abuse of all these COM Servers. You could think to modify the permissions of these objects via `DCOMCNFG but good luck, this is gonna be` challenging. ----- The actual solution is to protect sensitive accounts and applications which run under the ``` SERVICE accounts. Stopping DCOM would certainly inhibit this exploit but could have a ``` serious impact on the underlying OS. ## Binaries buildbuild passingpassing [An automatic build is available. Binaries can be downloaded from the Artifacts section here.](https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts) [Also available in BlackArch.](https://blackarch.org/) ## Authors [Andrea Pierini](https://twitter.com/decoder_it) [Giuseppe Trotta](https://twitter.com/Giutro) ## References buildbuild passingpassing -----