Pentest Tools

Published on January 17th, 2016 📆 | 7751 Views ⚑


Hot Potato — Windows Privilege Escalation

Text to Speech

Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012 … and a new network attack

Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing. Β Using this technique, we can elevate our privilege on a Windows workstation from the lowest levels to β€œNT AUTHORITY\SYSTEM” – the highest level of privilege available on a Windows machine.

This is important because many organizations unfortunately rely on Windows account privileges to protect their corporate network. Often it is the case that once an attacker is able to gain high privileged access to ANY workstation or server on a Windows network, they can use this access to gain β€œlateral movement” and compromise other hosts on the same domain. As an attacker, we often gain access to a computer through a low privilege user or service account. Gaining high privilege access on a host is often a critical step in a penetration test, and is usually performed in an ad-hoc manner as there are no known public exploits or techniques to do so reliably.

[adsense size='1']

The techniques that this exploit uses to gain privilege escalation aren’t new, but the way they are combined is. Microsoft is aware of all of these issues and has been for some time (circa 2000). These are unfortunately hard to fix without breaking backward compatibility and have been leveraged by attackers for over 15 years.

The exploit consists of 3 main parts, all of which are somewhat configurable through command-line switches. Each part corresponds to an already well known attack that has been in use for years:

  • Local NBNS Spoofer

    NBNS is a broadcast UDP protocol for name resolution commonly used in Windows environments.

  • Fake WPAD Proxy Server

    In Windows, Internet Explorer by default will automatically try to detect network proxy setting configuration by accessing the URL β€œhttps://wpad/wpad.dat”

  • HTTP -> SMB NTLM Relay

    Part of Windows Integrated Auth protocol suite. Β Essentially a challenge-response design




Windows 7

[adsense size='2']

Windows Server 2008


Windows 8/10/Server 2012

[adsense size='3']

Source && Download

Leave a Reply

Your email address will not be published.