When (NTLM) relaying potatoes lead you to domain admin...
A "permanent" 0day Privilege Escalation Vulnerability in Windows RPC Protocol ;-)
cc
@splinter_code
Our writeup here:
We did it again with
#LocalPotato
!
A not-so-common NTLM reflection attack allowing for arbitrary read/write. Basically EoP from user to SYSTEM.
Tracked as
#CVE
-2023-21746 - Windows NTLM EoP
Soon more details -->
cc
@splinter_code
#remotepotato0
xsession is finally out!
@splinter_code
and me released it: Coerce and relay NTLM auth from any user in any session w/o session 0! Enjoy responsibly ;)
We have just released a new version of our
#JuicyPotatoNG
tool to help red teamers/pentesters.
Now you can bruteforce clsid's, find open ports and get interactive console. Check it out here:
cc
@splinter_code
Cool finding from my colleague
@cj_berlin
detailed here: . PS remoting and SSH ignores "Deny Logon restrictions". So if you enable SSHd on a Domain Controller, every domain user can log in... and, for example, perform a
#RemotePotato0
attack 😲
This is how a specific Group Policy configuration, enabling a security feature bypass, can lead to Privilege Escalation. Full details and examples in my latest blog post ;)
POC for
#SilverPotato
utilizing Kerberos relay vs SMB ;) Starting from
@cube0x0
great krbrelay tool with extra layer of complexity to get the SilverPotato beast working.. Still in the rough but will publish soon :-)
If you compromise a Windows Service running as "Network Service" , keep in mind that you have write access to all the AD Computer Object properties. Enabling RBC Delegation is just one example for alternate privilege escalation paths ;-)
So MS told me that they won't fix in this release the "vulnerability" in the checks of the "SeTokenCanImpersonate" routines, as suggested by me (), maybe in the next releases? Meantime, enjoy ;-)
Based on a recent finding, tried to understand on how to abuse the "SeRelabelPrivilege". Thanks to
@tiraniddo
post , I was able to perform an LPE in its simplest form. -> No security boundary violation ;)
Active Directory Tip: check on regular basis users/computers with "usercertifcate" attribute count > 10, huge values could stop AD replication between DC's!
I'm releasing with
@Giutro
Juicy Potato, another Local Privilege Escalation tool from a Windows Service Accounts to SYSTEM by abusing the golden privileges ()
The
#LocalPotato
exploit is still vulnerable to HTTP attacks and will not be fixed. Although this is an edge case, it is important to be aware of it and avoid situations that could leave you vulnerable cc
@splinter_code
Exploring a not-so-common method for local privilege escalation, starting from a regular user, with
#RemotePotato0
and the help of (mis)configured ADCS cc
@splinter_code
1/2
sshserver on Windows is cool for for accessing a remote shell, but somehow limited... no problem, from ssh launch a reverse/bind shell with runas, psexec or whatever calls CreateProcessWithLogon and you get a full shell ;-)
With "Azure AD cloud sync service account" it's even easier for a bad actor who already has high local privs on this machine to take over the AD domain, no need o extract the password like the MSOL_ account, just steal/impersonate the token ;)
Another intriguing aspect of
#SilverPotato
: slui.exe - sppui can be found running on an ADCS server, activated by an admin. A simple domain user could then remotely coerce and relay authentication of users logged into the ADCS server, normally high-privileged 😉
It seems that there are still other paths for exploiting
#LocalPotato
even after CVE-2023-21746 patch, right
@splinter_code
? Waiting for next fix... ;)
#DfsCoerce
is still alive ;) I've created a custom version of original DfcCoerce-exe , with the added feature to specify alternate credentials for authentication if running on non-domain-joined machines or you need to execute it as a different user
What a surprise running in
#JuicyPotatoNG
the "clsid bruteforce" on windows 11/2022. Another CLSID impersonating SYSTEM and which does not require INTERACTIVE cc
@splinter_code
Just another basic example of what you could do with Remotetepotato0 "cross session attack" (and ntlmrelayx). It's not all about getting domain admin and sitting in session 0 ... cc
@splinter_code
@tiraniddo
Unveiling a surprising twist: the silver certificate () now has an upgrade path to silver++, offering not just persistence, but a touch of privilege escalation! Stay tuned ;)
Following my "old" blog post , I have published the very quick & dirty "juicy_2" code , maybe useful when you have impersonation privs on newer versions of Windows 10 & Server 2019 cc
@splinter_code
@Giutro
Combining
@tiraniddo
latest Microsoft LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition PE with DiagHub collector exploit -> from standard user to SYSTEM (tested on Win 10 1803)
The world is full of idiots or idiot tools :-(
"ModSecurity: (...) AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert("XSS")</script>',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')#. "
Setting "ms-DS-MachineAccountQuota =0" will prevent all these funny RBCD<->*relay privilege escalations tricks without too much effort. Why should non admin users (even computer accounts) be able to add computers to an AD domain?
Carefully review the membership of AD domain "Distributed Com Users" or domain Performance Log Users" groups. Taking over the domain is sometimes one step away.. ;)
Really excited to speak about "WINDOWS PRIVILEGE ESCALATIONS: STILL ABUSING LOCAL SERVICE ACCOUNTS TO GET SYSTEM PRIVILEGES" at
@HITBSecConf
2020 in Amsterdam on 23th April with my fellow mate
@splinter_code
!
We (
@decoder_it
and I) have decided to stop any new research related to Potato exploits and to archive all current repositories. So... no more potatoes :(