kevin-robertson / tater Goto Github PK
View Code? Open in Web Editor NEWTater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit from @breenmachine and @foxglovesec
License: Other
Tater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit from @breenmachine and @foxglovesec
License: Other
Greetings!
Ran into my first pentest today where it looks like Potato/Tater should give me privesc. I already had an Empire agent with a Win2k12 box established so I tried running Tater through it. I repeatedly got errors about "Windows Defender not found" which is fine since it's not present, but it also pegs the proc at 100% so I killed it.
I also have RDP access to the Win2k12 box so I ran it manually with Invoke-Tater and the behavior was the same - proc pegged at 100%. FYI, overall this is not an overworked box. It usually idles around 10% for proc and 50% for memory.
I didn't see it explicitly mentioned in the documentation, but should Tater run ok under Server 2012? Potato says it supports 2012, but maybe Tater doesn't?
I can try to run Potato tonight too and see if there is any difference.
Thanks,
Brian
hello i'm pretty new to this stuff, i don't really know why this gets stucks at Starting NBNS spoofer to resolve WPAD to 127.0.0.1
These are my logs:-
2020-09-26T16:03:05 - Tater (Hot Potato Privilege Escalation) started
Local IP Address = 192.168.91.130
Spoofing Hostname = WPAD
Windows Defender Trigger Enabled
Real Time Console Output Enabled
Run Stop-Tater to stop Tater early
Use Get-Command -Noun Tater* to show available functions
Press any key to stop real time console output
2020-09-26T16:03:06 - Waiting for incoming HTTP connection
2020-09-26T16:03:06 - Flushing DNS resolver cache
2020-09-26T16:03:06 - Starting NBNS spoofer to resolve WPAD to 127.0.0.1
Hey Kevin,
Awesome work, on converting this to PowerShell.
I'm in the process of adding a new trigger to my version for Windows 10. Props to @vvalien1 on Twitter for this one, he used it in his win0day.py code that he dropped just after our talk.
Apparently In Windows 10, schtasks.exe is enabled for regular users and NT AUTHORITY\SYSTEM will check the file path supplied when you schedule a new task. If Potato is running and you submit a task as follows, it will trigger immediately:
schtasks.exe /Create /TN shellz /TR \127.0.0.1\teste /SC ONCE /ST 10:00 /F
You need to make sure that the WebClient service is running first. It can be started by any user just by doing start->run -> \live.sysinternals.com\tools
I'm certain you can do the same programatically but I haven't yet.
Just wanted to let you know, would be awesome to have this in the Powershell version!
Now that it's out there, any plans on implementing the new rotten potato attack?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.