Kevin-Robertson / Tater

Tater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit from @breenmachine and @foxglovesec
Other
448 stars 116 forks source link

New Windows10 Trigger #2

Closed breenmachine closed 8 years ago

breenmachine commented 8 years ago

Hey Kevin,

Awesome work, on converting this to PowerShell.

I'm in the process of adding a new trigger to my version for Windows 10. Props to @vvalien1 on Twitter for this one, he used it in his win0day.py code that he dropped just after our talk.

Apparently In Windows 10, schtasks.exe is enabled for regular users and NT AUTHORITY\SYSTEM will check the file path supplied when you schedule a new task. If Potato is running and you submit a task as follows, it will trigger immediately:

schtasks.exe /Create /TN shellz /TR \127.0.0.1\teste /SC ONCE /ST 10:00 /F

You need to make sure that the WebClient service is running first. It can be started by any user just by doing start->run -> \live.sysinternals.com\tools

I'm certain you can do the same programatically but I haven't yet.

Just wanted to let you know, would be awesome to have this in the Powershell version!

Kevin-Robertson commented 8 years ago

Oh cool, yeah I will definitely try to get that added in. Thanks for the heads-up and awesome job with potato. I'm working on some potato inspired bruteforce stuff for Inveigh also. For post-exploitation, the bruteforce method is going to be useful for limited grabbing of HTTP challenge/responses and relay without needing admin access.

breenmachine commented 8 years ago

Awesome, can't wait to see it!

Kevin-Robertson commented 8 years ago

Hey, I added the Windows 10 trigger. I also think I'm now caught up with the features of potato.exe from a parameter standpoint.

I saw the tweets but I didn't explore starting WebClient programmatically yet.