What is JuicyPotato Vulnerability?


Those who have experienced Pentester and had a good time testing with Windows Escalation Method, they are surely heard about JuicyPotato at least once. Therefore, for people out, there should not fret who are not familiar with Windows Escalation at all and I will explain the Vulnerability here.


JuicyPotato is the exploit related to a weaponized version of the RottenPotato where its purpose would be exploiting tokens that have been handled by Microsoft


The machine is located over here

Demo for the JuicyPotatoNg


By default, this machine has patched for the JuicyPotato Vulnerability but there’s the latest version of JuicyPotato called JuicyPotatoNG

Graphical user interface, text

Description automatically generated

It’s very similar to the old version of JuicyPotato where It will abuse the SeImpersonatePrivilege. We need to confirm the privileges access have been enabled and can execute the command “whoami /priv


The vulnerability was exploited if SeImpersonatePrivilege when it was been disabled on the machine itself.


Firstly, we need to download the binary file on our attacker’s machine and we will need to transfer the file to our victim’s machine


The screenshot above shows how to transfer into the victim’s machine

Text

Description automatically generated

We should also transfer the file that contains malicious nc listner inside the <filename>.bat


The JuicyPotato was working as it should be as always.

Graphical user interface, text, website

Description automatically generated

Let’s start our nc listener on the attacker’s terminal

Text

Description automatically generated

As a result, we have to be looking for a port that is non-filtered which we will be using for further escalation methods.

Text

Description automatically generated

Therefore, we will be testing on the SSH terminal and we are presented with an error as shown in the screenshot above.

Text

Description automatically generated

When we try to run the JuicyPotatong on the reverse shell terminal where the exploit has been successful as it’s a piece of good news for us.

Text

Description automatically generated

Finally, we managed to retrieve the reverse shell connection back to us. However, the connection will take some time for it to work just as shown in the screenshot above.

Text

Description automatically generated

For the proof of concept, i will be showing the “whoami” command so that everyone can see the output as evidence.