metasploit-gs/documentation/modules/exploit/windows/local/ms16_075_reflection_juicy.md

Intro

This module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. It needs a CLSID to function, a list of which can be found here: https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md

From https://github.com/ohpe/juicy-potato:

RottenPotatoNG and its variants leverages the privilege escalation chain based on BITS service having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges. During a Windows build review we found a setup where BITS was intentionally disabled and port 6666 was taken. We decided to weaponize RottenPotatoNG: Say hello to Juicy Potato.

For more info see:

• Rotten Potato
• Lonely Potato
• Juicy Potato

Usage

The session you wish to escalate must already have the SeImpersonate privilege.

Scenarios:

Example with BITS CLSID (NT AUTHORITY\SYSTEM):

Example with UPNP CLSID (NT AUTHORITY\LOCAL SERVICE):