Candy Potato (Caramelized Juicy Potato)
Version 0.2 of JuicyPotato. In comparison with version 0.1 (JuicyPotato), this version offers some improvements, such as automating the exploitation.
Overview
This tool has been made on top of the original JuicyPotato, with the main focus on improving/adding some functionalities which was lacking. It is known to work against both Windows Workstation and Server versions up to 8.1 and Server 2016, respectively.
Summary
JuicyPotato leverages the privilege escalation chain based on certain COM Servers, using a MiTM listener hosted on 127.0.0.1
, and it works when you have SeImpersonate
or SeAssignPrimaryToken
privileges.
By default, JuicyPotato uses the BITS
service CLSID, and provides other tools (a set of PowerShell and Batch scripts), to enumerate and test other CLSIDs.
Although in combination these tools actually do a fantastic job, I've soon realized during my tests that they present some drawbacks:
- Multiple executable files to be uploaded on the target machines
- Multiple data files to be created during the CLSID gathering
- General lack of speed due to this multistep process
The "weakest" point is that different Windows Versions, as well as different configurations often requires to enumerate available CLSID over the target machine and that "try" them, one by one.
I decided then to automate this process in a new version of JuicyPotato, that is Candy Potato.
For additional information, I suggest seeing the original JuicyPotato repository, and follow the references.
Candy details
For backward compatibility, CandyPotato allows you to do whatever you could with JuicyPotato, adding some new gigs:
New Commands
-
INFO mode
Enumerate suitable CLSIDs and print them back to the user, improving what GetCLSID.ps1 used to do in JuicyPotato v0.1 -
AUTO mode
Automatically enumerate suitable CLSIDs and try to exploit them -
Service StartType
Filter CLSIDs basing on the Service Start Type (Manual, Auto, Disabled, etc) permitting to minimize failures
Old Commands
-
Target CLSID
Pick any CLSID you want. In the old JuicyPotato Repository you can find the list organized by OS. (Deprecated: Use -Q to discover available CLSIDs) -
COM Listening port
define COM listening port you prefer (default 10000) -
COM Listening IP address
bind the server on any IP -
Process creation mode
depending on the impersonated user's privileges you can choose from:CreateProcessWithToken
(needsSeImpersonate
)CreateProcessAsUser
(needsSeAssignPrimaryToken
)both
-
Process to launch
launch an executable or script if the exploitation succeeds -
Process Argument
customize the launched process arguments -
RPC Server address
for a stealthy approach you can authenticate to an external RPC server -
RPC Server port
useful if you want to authenticate to an external server and firewall is blocking port135
... -
TEST mode
mainly for testing purposes, i.e. testing CLSIDs. It creates the DCOM and prints the user of token.
Usage
T:\>CandyPotato.exe
CandyPotato v0.2
Mandatory args:
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
Optional args:
-l <port>: COM server listen port (default 10000)
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's user
-x automatically identifies suitable CLSIDs and attempt exploitation
-s <start-type> [1-4](default 3:[MANUAL])
-Q print available CLSIDs and exit
Example
Considerations
This exploit has been silently mitigated by Microsoft in a completed unrelated update affecting Oxid Resolvers. The full story, and a new exploit ("RoguePotato") capable to bypass the unintended mitigation, can be found at the following addresses:
Credits (JuicyPotato v0.1)
Awesome work done by @decoder-it (decoder_it) and @ohpe (Giutro) on the original Juicy-Potato:
Also I would like to take a moment to say a "Thanks" to @AntonioCoco for the work on RoguePotato:
These guys are amazing.