As promised, here’s the full explanation!
In order to try the JuicyPotato step again, I had to get to that step. So I have followed the walkthrough with some alterations:
- Metasploit step.
In the walktrhough it asks to change local directory with thelcd
command. It also asks to navigate touploads
, which didn’t work for me, so I decided to do it using a relative path instead. It’s easy to overlook, but the exploit puts you inC:\inetpub\wwwroot\wordpress\wp-content\plugins\mdkjhoOtDL
instead ofuploads
cd ../../uploads
-
PrivEsc step,
shell.bat
The walkthrough asks you toecho
the location of the netcat executable, specified as follows:C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe
If you try and open the generated file usingvim
or any other editor you’ll see that all the backslashes got eaten! This is because a backslash is an escape character and at the stage where it has been transferred into the file all backslashes have dissappeared! There are two ways to solve it:
a. Copy-paste the command into the text editor instead of usingecho
b. Or instead of using a single backslash use double! E.g.C:\inetpub\
becomesC:\\inetpub\\
. This way you will get the path displayed correctly. -
Referencing the
shell.bat
on the remote machine when executing JuicyPotato.
The walkthrough, again, specifies a full path here. That didn’t work for me. So I remembered that I have uploaded thenetcat
executable to the same folder asshell.bat
, so I have tweaked the command to:
js.exe -t * -p .\shell.bat -l 1337
By the way, the port at the end of there does not get used for anything during this walkthrough. The listener opens on the port that you specify in the shell.bat
, in the walkthrough it’s 1111
.
This way I had 3 terminals open:
- metasploit
- wwwroot directory that I have opened from metasploit
- admin shell that has been opened from running
shell.bat
Also, for the post exploitation step, you’re supposed to run a 64-bit version of mimikatz
from the admin shell, it took me some time to figure out!
In summary:
- The admin port should be obtained on port
1111
in the walkthrough (in my case it was port6427
) - The output of JuicyPotato failed because the path was not specified correctly, see above, so it couldn’t find the right files.
I hope this will help anyone who has been stuck for quite some time!