kevin-robertson / tater Goto Github PK

Tater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit from @breenmachine and @foxglovesec

License: Other

PowerShell 100.00%

tater's Introduction

Tater

Tater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit.

Credit

All credit goes to @breenmachine, @foxglovesec, Google Project Zero, and anyone else that helped work out the details for this exploit.

Potato - https://github.com/foxglovesec/Potato

Included In

p0wnedShell - https://github.com/Cn33liz/p0wnedShell
PowerShell Empire - https://github.com/PowerShellEmpire/Empire
PS>Attack - https://github.com/jaredhaight/psattack

Functions

Invoke-Tater

The main Tater function.

Parameters

IP - Specify a specific local IP address. An IP address will be selected automatically if this parameter is not used.
SpooferIP - Specify an IP address for NBNS spoofing. This is needed when using two hosts to get around an in-use port 80 on the privesc target.
Command - Command to execute as SYSTEM on the localhost. Use PowerShell character escapes where necessary.
NBNS - Default = Enabled: (Y/N) Enable/Disable NBNS bruteforce spoofing.
NBNSLimit - Default = Enabled: (Y/N) Enable/Disable NBNS bruteforce spoofer limiting to stop NBNS spoofing while hostname is resolving correctly.
ExhaustUDP - Default = Disabled: (Y/N) Enable/Disable UDP port exhaustion to force all DNS lookups to fail in order to fallback to NBNS resolution.
HTTPPort - Default = 80: Specify a TCP port for the HTTP listener and redirect response.
Hostname - Default = WPAD: Hostname to spoof. WPAD.DOMAIN.TLD may be required by Windows Server 2008.
WPADDirectHosts - Comma separated list of hosts to list as direct in the wpad.dat file. Note that localhost is always listed as direct.
WPADPort - Default = 80: Specify a proxy server port to be included in the wpad.dat file.
Trigger - Default = 1: Trigger type to use in order to trigger HTTP to SMB relay. 0 = None, 1 = Windows Defender Signature Update, 2 = Windows 10 Webclient/Scheduled Task
TaskDelete - Default = Enabled: (Y/N) Enable/Disable scheduled task deletion for trigger 2. If enabled, a random string will be added to the taskname to avoid failures after multiple trigger 2 runs.
Taskname - Default = Tater: Scheduled task name to use with trigger 2. If you observe that Tater does not work after multiple trigger 2 runs, try changing the taskname.
RunTime - Default = Unlimited: (Integer) Set the run time duration in minutes.
ConsoleOutput - Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell.
StatusOutput - Default = Enabled: (Y/N) Enable/Disable startup messages.
ShowHelp - Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
Tool - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire

Stop-Tater

Function to manually stop Invoke-Tater.

Usage

To import with Import-Module:
Import-Module ./Tater.ps1
To import using dot source method:
. ./Tater.ps1

Examples

Basic trigger 1 example
Invoke-Tater -Trigger 1 -Command "net user tater Winter2016 /add && net localgroup administrators tater /add"
Basic trigger 2 example
Invoke-Tater -Trigger 2 -Command "net user tater Winter2016 /add && net localgroup administrators tater /add"
Two system setup to get around port 80 being in-use on the privesc target
WPAD System - 192.168.10.100 - this system will just serve up a wpad.dat file that will direct HTTP traffic on the privesc target to the non-80 HTTP port
Invoke-Tater -Trigger 0 -NBNS N -WPADPort 8080 -Command "null"

Privesc Target - 192.168.10.101
Invoke-Tater -Command "net user Tater Winter2016 /add && net localgroup administrators Tater /add" -HTTPPort 8080 -SpooferIP 192.168.10.100

Screenshots

Windows 7 using trigger 1 (NBNS WPAD Bruteforce + Windows Defender Signature Updates)

Windows 10 using trigger 2 (WebClient Service + Scheduled Task)

Windows 7 using trigger 1 and UDP port exhaustion

tater's People

Contributors

Stargazers

Watchers

Forkers

lucabongiorni wflk vysecurity cn33liz theralfbrown jamesshew jajp777 bwry andy737 cryptedwolf random1984 snollyg0st3r modulexcite stackpivot kazimer olivierh59500 poeblu rajivraj 0thm4n3 johnjohnsp1 samyoyo tardummy01 xtiankisutsa demarica minkione av1080p kaicastledine awesome-security sikkandar-sha h1d3r jeperez kbahaxor danielrteixeira nunombarros tobey123 pyq881120 hackmycontrolsystem nopernik methos2016 rastating opexxx noorqureshi vaginessa newyorkdev michalkoczwara h0k5 f0829 firefalc0n poppopjmp kcsec mother2110 alvixeon cybertroyeu v4n0m capitaogancho tmmmmmr bilportistivraboti ykankaya giper45 fengzihk fingerleakers dm2333 gitlabsyncint r00t-taurus c3c dannymas sgnls gilks wbglil mmg1 mkv4 dipsec c002 caidaome kr1shn4murt1 indigos33k3r attackgithub avaloncyber2 secopsgit tmbg1234 0xmaohou rahmiy disk-kk dskho doccker imulmul sts0mrg0 marcos-tolosa manantsoar kaisaryousuf koushui red-infosec bloodandwolf mrking18 5l1v3r1 ayoubatmani ashu-savani l1ves imendax jr69ss

tater's Issues

Script stuck at Starting NBNS spoofer to resolve WPAD to 127.0.0.1

hello i'm pretty new to this stuff, i don't really know why this gets stucks at Starting NBNS spoofer to resolve WPAD to 127.0.0.1

These are my logs:-

2020-09-26T16:03:05 - Tater (Hot Potato Privilege Escalation) started
Local IP Address = 192.168.91.130
Spoofing Hostname = WPAD
Windows Defender Trigger Enabled
Real Time Console Output Enabled
Run Stop-Tater to stop Tater early
Use Get-Command -Noun Tater* to show available functions
Press any key to stop real time console output

2020-09-26T16:03:06 - Waiting for incoming HTTP connection
2020-09-26T16:03:06 - Flushing DNS resolver cache
2020-09-26T16:03:06 - Starting NBNS spoofer to resolve WPAD to 127.0.0.1

FireWall Problem

I have tried Tater, and for the first time I run it, it ask for a new windows firewall rule.
And as you know, it require privileges for that.
What do you think?

Any plans on implementing the new rotten potato attack?

Now that it's out there, any plans on implementing the new rotten potato attack?

Images for README

Issues running in Server 2012?

Greetings!

Ran into my first pentest today where it looks like Potato/Tater should give me privesc. I already had an Empire agent with a Win2k12 box established so I tried running Tater through it. I repeatedly got errors about "Windows Defender not found" which is fine since it's not present, but it also pegs the proc at 100% so I killed it.

I also have RDP access to the Win2k12 box so I ran it manually with Invoke-Tater and the behavior was the same - proc pegged at 100%. FYI, overall this is not an overworked box. It usually idles around 10% for proc and 50% for memory.

I didn't see it explicitly mentioned in the documentation, but should Tater run ok under Server 2012? Potato says it supports 2012, but maybe Tater doesn't?

I can try to run Potato tonight too and see if there is any difference.

Thanks,
Brian

New Windows10 Trigger

Hey Kevin,

Awesome work, on converting this to PowerShell.

I'm in the process of adding a new trigger to my version for Windows 10. Props to @vvalien1 on Twitter for this one, he used it in his win0day.py code that he dropped just after our talk.

Apparently In Windows 10, schtasks.exe is enabled for regular users and NT AUTHORITY\SYSTEM will check the file path supplied when you schedule a new task. If Potato is running and you submit a task as follows, it will trigger immediately:

schtasks.exe /Create /TN shellz /TR \127.0.0.1\teste /SC ONCE /ST 10:00 /F

You need to make sure that the WebClient service is running first. It can be started by any user just by doing start->run -> \live.sysinternals.com\tools

I'm certain you can do the same programatically but I haven't yet.

Just wanted to let you know, would be awesome to have this in the Powershell version!