What is JuicyPotato Vulnerability?
Those who have experienced Pentester and had a good time testing with Windows Escalation Method, they are surely heard about JuicyPotato at least once. Therefore, for people out, there should not fret who are not familiar with Windows Escalation at all and I will explain the Vulnerability here.
JuicyPotato is the exploit related to a weaponized version of the RottenPotato where its purpose would be exploiting tokens that have been handled by Microsoft
The machine is located over here
Demo for the JuicyPotatoNg
By default, this machine has patched for the JuicyPotato Vulnerability but there’s the latest version of JuicyPotato called JuicyPotatoNG
It’s very similar to the old version of JuicyPotato where It will abuse the SeImpersonatePrivilege. We need to confirm the privileges access have been enabled and can execute the command “whoami /priv”
The vulnerability was exploited if SeImpersonatePrivilege when it was been disabled on the machine itself.
Firstly, we need to download the binary file on our attacker’s machine and we will need to transfer the file to our victim’s machine
The screenshot above shows how to transfer into the victim’s machine
We should also transfer the file that contains malicious nc listner inside the <filename>.bat
The JuicyPotato was working as it should be as always.
Let’s start our nc listener on the attacker’s terminal
As a result, we have to be looking for a port that is non-filtered which we will be using for further escalation methods.
Therefore, we will be testing on the SSH terminal and we are presented with an error as shown in the screenshot above.
When we try to run the JuicyPotatong on the reverse shell terminal where the exploit has been successful as it’s a piece of good news for us.
Finally, we managed to retrieve the reverse shell connection back to us. However, the connection will take some time for it to work just as shown in the screenshot above.
For the proof of concept, i will be showing the “whoami” command so that everyone can see the output as evidence.
No responses yet