search

breenmachine / RottenPotatoNG

New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools.
892 stars 179 forks source link

RottenPotatoNG vs LonelyPotato #2

Closed LyesH4ck closed 6 years ago

LyesH4ck commented 6 years ago

Hey !

For your information I used RottenPotatoNG in a CTF... I recompiled it to exec a specific exe (metasploit Windows meterpreter: Reverse_HTTPS). When the payload is executed, I get a meterpreter session .. But it hanged .. No response from the meterpreter.

Compiled in x64 with SDK Windows 10.0.16299.0 (not the v8...)

I've used the Lonely Version : https://github.com/decoder-it/lonelypotato, the exe file downloaded on the git, and it worked very well. Tested on the same exe file (windows meterpreter).

I dunno.. Maybe there is a problem ? Or maybe the problem is my SDK version.

Anyway very good job !

breenmachine commented 6 years ago

Nice! That's awesome. Not sure why your shells were dieing, but I'm glad you got another version of it working. I've been in contact with the author of lonelypotato and he's been doing some research to clean up some loose ends with this technique.

decoder-it commented 6 years ago

Hello, which type of API call did you use in my (lonelypotato) version?

LyesH4ck commented 6 years ago

Hello, I’m not sure to understand. But I downloaded the .exe file from the Lonely Git, and uploaded the binary via my Meterpreter shell. I got a Shell CMD and tested the 2 options: u and t. They both worked.

Is that what you asked ?

Le 9 mars 2018 à 19:37, decoder-it notifications@github.com a écrit :

Hello, which type of API call did you use in my (lonelypotato) version?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

decoder-it commented 6 years ago

OK, well 'u' uses the SeImpersonate and 't' the SeAggignPrimaryToken privilege. In which ctf did test it?

LyesH4ck commented 6 years ago

Hack The Box, Name server is Bart

Le 10 mars 2018 à 13:48, decoder-it notifications@github.com a écrit :

OK, well 'u' uses the SeImpersonate and 't' the SeAggignPrimaryToken privilege. In which ctf did test it?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

decoder-it commented 6 years ago

Yes id did this box too ;-) if you want to know more about this modified exe read here: https://decoder.cloud/2018/01/13/potato-and-tokens/