HTB Devel OSCP No Metasploit
Walkthrough
I'm writing this because I haven't seen a writeup that used the Potato privilege escalation method. This will be an OSCP No Metasploit allowed writeup.
Use this https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx aspx reverse shell. Change the IP and Port in the file.
Put the shell.aspx in the FTP directory. Remember to write the command "binary". Its best practice so your file makes it in one piece! Then setup your netcat listener and trigger the shell by visiting http://10.10.10.5/shell.aspx
I did a whoami /priv and notice the SEImpersonatePrivilege is Enabled. I run PowerUp and also get a note about it. Looks like will be using a Potato attack!
I transfer JuicyPotato86.exe, nc.exe, and go.bat to the Windows box using certutil. FTP will work too.
You can get the JuicyPotato x86 compiled exe file here: https://github.com/ivanitlearning/Juicy-Potato-x86/releases.
Download the nc.exe x86 here: https://eternallybored.org/misc/netcat/
Make the go.bat file yourself. Screenshot above. Use sudo python -m SimpleHTTPServer 80 to host the files.
Potato attacks can be very finnicky. Using full paths will never let you down -as long as it's right! I find using nc.exe in a .bat file works for me.
I use JuicyPotato86.exe -l 1337 -p C:\inetpub\wwwroot\go.bat -t * -c {69AD4AEE-51BE-439b-A92C-86AE490E8B30} and nc -lvnp 5555. I get a root shell back.
If your using this attack against a different machine and it's not working, pick a different CLID. You can find the CLID's here by OS type: https://github.com/ohpe/juicy-potato/tree/master/CLSID. I keep picking until one works.
This comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDelete