/Bat-Potato

Automating Juicy Potato Local Privilege Escalation CMD exploit for penetration testers.

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

Bat-Potato

my4b1hlfajo71

USAGE

The binaries from this repository are the last releases of each one. Keep in mind you can change them anytime.

Open Bat-Potato.py and change de default values

  • JUICY_REMOTE_PATH -> Working directory
  • CLSID_file -> List of CLSID (under /wordlist folder)
  • LHOST -> Your IP
  • LPORT -> Your Attacker port
  • LWEBSERVER_PORT -> Web server port that will host manatory files .bat file will upload on server
  • JUICY_POTATO_BIN -> .exe of the juicypotato binary
python Bat-Potato.py

Server will be listening incomming requests. Keep that connection alive, open new tab and open another listening port for the reverse shell.

For example:

rlwrap nc -nvlp <port>

You must upload the following files on the server:

  • wget.exe
  • Bat-Potato.bat file generated by python script

On the server, execute

.\Bat-Potato.bat

This will upload shell.bat, nc.exe and Juicy binary from server and will attempt to Privesc making all the CLSID request automatically.

And wait until pwn!

Why use Bat-Potato

As there are other alternatives to perform Juicy Privesc (https://github.com/TsukiCTF/Lovely-Potato), Bat-Potato mainly function is to accomplish the privesc with just a cmd reverse shell. No powershell is required for this actions, so with a low integrity cmd shell you can run this .bat file.

NOTE: As you can see on the .bat generated, hundreds of requests are made and will keep working until finish the list of CLSID.

You prefer a demo, dont you?

Bat-Potato_demo.mp4

If video is not displayed, you can also click on this link: https://youtu.be/QL1NiryxGis

Credits

prhp for the fantastic logo: https://www.reddit.com/r/krita/comments/prhpl0/bat_potato/