🥔 JuicyPotato
Escalating privileges to SYSTEM
level when the command whoami /priv
confirms that SeImpersonatePrivilege is listed for our user.
RottenPotatoNG and its variants leverages the privilege escalation chain based on BITS
service having the MiTM listener on 127.0.0.1:6666
and when you have SeImpersonate
or SeAssignPrimaryToken
privileges. During a Windows build review we found a setup where BITS
was intentionally disabled and port 6666
was taken.
Download from: https://github.com/ohpe/juicy-potato
1. Upload the JuicyPotato.exe
binary and upload this and nc.exe
to the target server.
2. Set a listener in your attacking machine:
3. Run JuicyPotato:
Troubleshooting CLSID
- In Windows, a CLSID (Class ID) is a unique identifier (GUID format) for a COM object.
-
JuicyPotato (and similar exploits) work by abusing specific COM services that:
- Run as SYSTEM
- Allow you (the user) to trigger them
- Are vulnerable to impersonation (they delegate their privileges poorly)
-
If the COM service doesn't behave correctly (wrong CLSID), you get errors like
recv failed with error: 10038
.
→ So the choice of CLSID is critical: Some CLSIDs will work; others will not depending on your OS and what services are running.
Which CLSIDs should you use on Windows Server 2016?
Here are some CLSIDs often successful on Windows Server 2016:
CLSID | Description | Notes |
---|---|---|
{3E5FC7F9-9A51-4367-9063-A120244FBEC7} |
IObjectActivator |
Very commonly works |
{4991d34b-80a1-4291-83b6-3328366b9097} |
BITS |
Might still work sometimes |
{d63e0ce2-a0a2-11d0-9c02-00c04fc99c8e} |
PSFactoryBuffer |
Good choice |
{e60687f7-01a1-40aa-86ac-db1cbf673334} |
ShellBrowserWindow |
Sometimes works |
{d20caec4-5ca8-4905-ae3b-bf251ea09b53} |
ShellWindows |
Works but unstable sometimes |
where -c
= scan all CLSIDs and find a working one automatically.