{"id":13536002,"url":"https://github.com/ohpe/juicy-potato","last_synced_at":"2025-05-15T11:02:17.636Z","repository":{"id":41420184,"uuid":"142582717","full_name":"ohpe/juicy-potato","owner":"ohpe","description":"A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\\SYSTEM. ","archived":false,"fork":false,"pushed_at":"2021-12-18T16:00:18.000Z","size":13573,"stargazers_count":2538,"open_issues_count":12,"forks_count":469,"subscribers_count":46,"default_branch":"master","last_synced_at":"2025-04-14T16:58:10.252Z","etag":null,"topics":["clsid","dcom","juicy-potato","privilege-escalation","rottenpotatong","windows"],"latest_commit_sha":null,"homepage":"https://ohpe.github.io/juicy-potato/","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ohpe.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-07-27T13:48:09.000Z","updated_at":"2025-04-12T06:40:04.000Z","dependencies_parsed_at":"2022-08-14T07:30:22.320Z","dependency_job_id":null,"html_url":"https://github.com/ohpe/juicy-potato","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ohpe%2Fjuicy-potato","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ohpe%2Fjuicy-potato/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ohpe%2Fjuicy-potato/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ohpe%2Fjuicy-potato/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ohpe","download_url":"https://codeload.github.com/ohpe/juicy-potato/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254328385,"owners_count":22052632,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["clsid","dcom","juicy-potato","privilege-escalation","rottenpotatong","windows"],"created_at":"2024-08-01T09:00:33.484Z","updated_at":"2025-05-15T11:02:17.541Z","avatar_url":"https://github.com/ohpe.png","language":"C++","funding_links":[],"categories":["Privilege Escalation","\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","\u003ca id=\"3ed50213c2818f1455eff4e30372c542\"\u003e\u003c/a\u003e工具","C++","C++ (225)","[↑](#table-of-contents) [Privilege Escalation](https://attack.mitre.org/tactics/TA0004/)","Windows"],"sub_categories":["Windows","\u003ca id=\"a9494547a9359c60f09aea89f96a2c83\"\u003e\u003c/a\u003e后渗透","\u003ca id=\"4c2095e7e192ac56f6ae17c8fc045c51\"\u003e\u003c/a\u003e提权\u0026\u0026PrivilegeEscalation","[T1134 - Access Token Manipulation](https://attack.mitre.org/techniques/T1134/)","Tools"],"readme":"# Juicy Potato (abusing the golden privileges)\n*A sugared version of [RottenPotatoNG][1], with a bit of juice, i.e. **another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\\SYSTEM***\n\n## Summary\n[RottenPotatoNG][1] and its [variants][6] leverages the privilege escalation chain based on [`BITS`][3] [service](https://github.com/breenmachine/RottenPotatoNG/blob/4eefb0dd89decb9763f2bf52c7a067440a9ec1f0/RottenPotatoEXE/MSFRottenPotato/MSFRottenPotato.cpp#L126\n) having the MiTM listener on `127.0.0.1:6666` and when you have `SeImpersonate` or `SeAssignPrimaryToken` privileges. During a Windows build review we found a setup where `BITS` was intentionally disabled and port `6666` was taken.\n\nWe decided to weaponize [RottenPotatoNG][1]: **Say hello to Juicy Potato**.\n\n\u003e For the theory, see [Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM][4] and follow the chain of links and references.\n\nWe discovered that, other than `BITS` there are a several COM servers we can abuse. They just need to:\n1. be instantiable by the current user, normally a \"service user\" which has impersonation privileges\n2. implement the `IMarshal` interface\n3. run as an elevated user (SYSTEM, Administrator, ...)\n\nAfter some testing we obtained and tested an extensive list of [interesting CLSID's](CLSID/README.md) on several Windows versions.\n\n## Juicy details\nJuicyPotato allows you to:\n\n+ **Target CLSID**\u003cbr\u003e\n_pick any CLSID you want. [Here](CLSID/README.md) you can find the list organized by OS._\n\n+ **COM Listening port**\u003cbr\u003e\n_define COM listening port you prefer (instead of the marshalled hardcoded 6666)_\n\n+ **COM Listening IP address**\u003cbr\u003e\n_bind the server on any IP_\n\n+ **Process creation mode**\u003cbr\u003e\n_depending on the impersonated user's privileges you can choose from:_\n   - `CreateProcessWithToken` (needs `SeImpersonate`)\n   - `CreateProcessAsUser` (needs `SeAssignPrimaryToken`)\n   - `both`\n\n\n+ **Process to launch**\u003cbr\u003e\n_launch an executable or script if the exploitation succeeds_\n\n+ **Process Argument**\u003cbr\u003e\n_customize the launched process arguments_\n\n+ **RPC Server address**\u003cbr\u003e\n_for a stealthy approach you can authenticate to an external RPC server_\n\n+ **RPC Server port**\u003cbr\u003e\n_useful if you want to authenticate to an external server and firewall is blocking port `135`..._\n\n+ **TEST mode**\u003cbr\u003e\n_mainly for testing purposes, i.e. testing CLSIDs. It creates the DCOM and prints the user of token. See [here for testing](Test/README.md)_\n\n\n## Usage\n\n```\nT:\\\u003eJuicyPotato.exe\nJuicyPotato v0.1\n\nMandatory args:\n-t createprocess call: \u003ct\u003e CreateProcessWithTokenW, \u003cu\u003e CreateProcessAsUser, \u003c*\u003e try both\n-p \u003cprogram\u003e: program to launch\n-l \u003cport\u003e: COM server listen port\n\n\nOptional args:\n-m \u003cip\u003e: COM server listen address (default 127.0.0.1)\n-a \u003cargument\u003e: command line argument to pass to program (default NULL)\n-k \u003cip\u003e: RPC server ip address (default 127.0.0.1)\n-n \u003cport\u003e: RPC server listen port (default 135)\n-c \u003c{clsid}\u003e: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})\n-z only test CLSID and print token's user\n```\n\n## Example\n![](assets/poc.png)\n\n## Final thoughts\nIf the user has `SeImpersonate` or `SeAssignPrimaryToken` privileges then you are **SYSTEM**.\n\nIt's nearly impossible to prevent the abuse of all these COM Servers. You could think to modify the permissions of these objects via `DCOMCNFG` but good luck, this is gonna be challenging.\n\nThe actual solution is to protect sensitive accounts and applications which run under the `* SERVICE` accounts.\nStopping `DCOM` would certainly inhibit this exploit but could have a serious impact on the underlying OS.\n\n## Binaries [![Build status](https://ci.appveyor.com/api/projects/status/hcht6wpfjsrq5389?svg=true)](https://ci.appveyor.com/project/ohpe/juicy-potato)\n An automatic build is available. Binaries can be downloaded from the Artifacts section [here](https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts).\n \n Also available in [BlackArch](https://blackarch.org).\n \n## Authors\n- [Andrea Pierini](https://twitter.com/decoder_it)\n- [Giuseppe Trotta](https://twitter.com/Giutro)\n\n## References\n\n* [Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM][4]\n* [Windows: DCOM DCE/RPC Local NTLM Reflection Elevation of Privilege][5]\n* [Potatoes and Tokens](https://decoder.cloud/2018/01/13/potato-and-tokens/)\n* [The lonely Potato](http://decoder.cloud/2017/12/23/the-lonely-potato/)\n* [Social Engineering the Windows Kernel by James Forshaw](https://www.slideshare.net/Shakacon/social-engineering-the-windows-kernel-by-james-forshaw)\n\n[1]: https://github.com/breenmachine/RottenPotatoNG\n[2]: https://decoder.cloud/2017/12/23/the-lonely-potato/\n[3]: https://msdn.microsoft.com/en-us/library/windows/desktop/bb968799(v=vs.85).aspx\n[4]: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/\n[5]: https://bugs.chromium.org/p/project-zero/issues/detail?id=325\u0026redir=1\n[6]:https://github.com/decoder-it/lonelypotato\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fohpe%2Fjuicy-potato","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fohpe%2Fjuicy-potato","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fohpe%2Fjuicy-potato/lists"}