Blog: Red Teaming
SweetPotato – Service to SYSTEM
The applications behave by leveraging the SeImpersontePrivilege and MITM to perform privilege escalation when a high privilege process connects to a MITM server running on the same machine.
In the interest of expanding my knowledge on the subject I decided to rewrite JuicyPotato in C#. In addition to the original JuicyPotato functionality I also added an additional PrivEsc that @decoder and a few others had found with the BITS service. When instantiating a BITS COM object, if the service is not running, COM will start the service on behalf of the user requesting the COM object.
On startup, the BITS service attempts to connect to the local WinRM service on port 5985. If WinRM is not active, we can set up a server to listen on port 5985 and force the BITS service running as SYSTEM to preform local NTLM authentication and impersonate. Further details about the the discovery can be found on decoder’s blog here.
The tool was designed to be used with Cobalt Strike’s execute-assembly command, so it carries no baggage in the form of dependencies. A release build is circa ~70KB in size and works for both 32bit and 64bit processes.
Since the original DCOM vulnerability that Rotten/JuicyPotato exploits is fixed in Windows 10 1809+ and Windows Server 2019 the tool should automatically switch to the BITS/WinRM exploit described above. So to recap:
- Works on Windows 7 up to the latest version of Windows 10 and Server 2019
- Compatible with execute-assembly from Cobalt Strike an other C2 projects that support in memory execution of .NET executables
- Works on 32 bit and 64 bit operating systems.
- Can be compiled for for .NET 2 and 4 depending on target OS.
- Automatically attempts the correct exploit to execute.
If you are interested in trying it out, head over to my GitHub project here.
The tool should work in all flavours of Windows but will only work when executed from a process with impersonate privileges. This is typically given to services, but can be a low privilege Network Service or similar.
Additionally for the exploit to work on the latest Windows 10 or Windows Server 2019, WinRM cannot be enabled. This is the default for Windows 10, but not for Windows Server 2019.