Hack The Box: (Unintended) way to get Root Privileges Access using the latest version JuicyPotato

Written by darknite -
on October 17, 2022
Testing

What is JuicyPotato Vulnerability?

Those who have experienced Pentester and had a good time testing with Windows Escalation Method, they are surely heard about JuicyPotato at least once. Therefore, for people out, there should not fret who are not familiar with Windows Escalation at all and I will explain the Vulnerability here.

JuicyPotato is the exploit related to a weaponized version of the RottenPotato where its purpose would be exploiting tokens that have been handled by Microsoft

The machine is located over here

Demo for the JuicyPotatoNg

By default, this machine has patched for the JuicyPotato Vulnerability but there’s the latest version of JuicyPotato called JuicyPotatoNG

Graphical user interface, text Description automatically generated

It’s very similar to the old version of JuicyPotato where It will abuse the SeImpersonatePrivilege. We need to confirm the privileges access have been enabled and can execute the command “whoami /priv

The vulnerability was exploited if SeImpersonatePrivilege when it was been disabled on the machine itself.

Firstly, we need to download the binary file on our attacker’s machine and we will need to transfer the file to our victim’s machine

The screenshot above shows how to transfer into the victim’s machine

Text Description automatically generated

We should also transfer the file that contains malicious nc listner inside the <filename>.bat

The JuicyPotato was working as it should be as always.

Graphical user interface, text, website Description automatically generated

Let’s start our nc listener on the attacker’s terminal

Text Description automatically generated

As a result, we have to be looking for a port that is non-filtered which we will be using for further escalation methods.

Text Description automatically generated

Therefore, we will be testing on the SSH terminal and we are presented with an error as shown in the screenshot above.

Text Description automatically generated

When we try to run the JuicyPotatong on the reverse shell terminal where the exploit has been successful as it’s a piece of good news for us.

Text Description automatically generated

Finally, we managed to retrieve the reverse shell connection back to us. However, the connection will take some time for it to work just as shown in the screenshot above.

Text Description automatically generated

For the proof of concept, i will be showing the “whoami” command so that everyone can see the output as evidence.

Categories:

Insane Machine

Tags:

ChallengesHackTheBoxVulnerabilitiesWindows

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *