• 👉 Overview
• 👀 What ?
• 🧐 Why ?
• ⛏️ How ?
• ⏳ When ?
• ⚙️ Technical Explanations
• 🖇️ References

👉 Overview

👀 What ?

Windows JuicyPotato is an attack technique that allows local privilege escalation on a Windows system. It exploits the SeImpersonate privilege that a service running as SYSTEM may have. This privilege allows a service to impersonate security tokens of other users and potentially elevate its privileges.

🧐 Why ?

Understanding Windows JuicyPotato is crucial as it poses a significant threat to the security of Windows systems. It allows attackers to gain unauthorized access and escalate their privileges on the targeted system which can lead to the compromise of sensitive data or even total system takeover.

⛏️ How ?

To use JuicyPotato, you need to have valid credentials and be able to execute code on the system. The attack involves creating a fake server on the local system, making a request to a legitimate service asking it to authenticate to the fake server. When the service attempts to authenticate, it provides a NTLM authentication token which is then captured by the attacker.

⏳ When ?

The use of JuicyPotato in real-world attacks has been documented as early as 2016 and it remains an effective attack technique due to the continued existence of the SeImpersonate privilege in Windows services.

⚙️ Technical Explanations

At a deeper level, JuicyPotato works by exploiting the DCOM activation service in Windows. When a COM object is activated, it's done in the security context of the user who initiated the request. If this user has the SeImpersonate privilege, they can impersonate another user's security token. However, Microsoft introduced a mitigation in Windows Server 2012 that restricts this behaviour to local system accounts only. JuicyPotato gets around this mitigation by creating a fake server that the COM object can authenticate to, thereby capturing the system's NTLM token.

🖇️ References