How it works?
Potato takes advantage of known issues in Windows to gain local privilege escalation, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing. Using the techniques outlined below, it is possible for an unprivileged user to gain “NT AUTHORITY\SYSYTEM” level access to a Windows host in default configurations.
The exploit consists of 3 main parts, all of which are somewhat configurable through command-line switches:
1. Local NBNS Spoofer
NBNS is a broadcast UDP protocol for name resolution commonly used in Windows environments. In penetration testing, we often sniff network traffic and respond to NBNS queries observed on a local network. For privilege escalation purposes, we can’t assume that we are able to sniff network traffic, so how can we accomplish NBNS spoofing?
If we can know ahead of time which host a target machine (in this case our target is 127.0.0.1) will be sending an NBNS query for, we can craft a response and flood the target host with NBNS responses (since it is a UDP protocol). One complication is that a 2-byte field in the NBNS packet, the TXID, must match in the request and response. We can overcome this by flooding quickly and iterating over all 65536 possible values.
In testing, this has proved to be 100% effective.
2. Fake WPAD Proxy Server
With the ability to spoof NBNS responses, we can target our NBNS spoofer at 127.0.0.1. We flood the target machine (our own machine) with NBNS response packets for the host “WPAD”, or “WPAD.DOMAIN.TLD”, and we say that the WPAD host has IP address 127.0.0.1.
At the same time, we run an HTTP server locally on 127.0.0.1. When it receives a request for “http://wpad/wpad.dat”, it responds with something like the following:
if (dnsDomainIs(host, "localhost")) return "DIRECT";
return "PROXY 127.0.0.1:80";}
This will cause all HTTP traffic on the target to be redirected through our server running on 127.0.0.1.
Interestingly, this attack when performed by even a low privilege user will affect all users of the machine. This includes administrators, and system accounts. See the screenshots “egoldstein_spoofing.png” and “dade_spoofed.png” for an example.
3. HTTP -> SMB NTLM Relay
With all HTTP traffic now flowing through a server that we control, we can do things like request NTLM authentication…
In the Potato exploit, all requests are redirected with a 302 redirect to “http://localhost/GETHASHESxxxxx”, where xxxxx is some unique identifier. Requests to “http://localhost/GETHASHESxxxxx” respond with a 401 request for NTLM authentication.
The NTLM credentials are relayed to the local SMB listener to create a new system service that runs a user-defined command. This command will run with “NT AUTHORITY\SYSTEM” privilege.
Enabling “Extended Protection for Authentication” in Windows should stop NTLM relay attacks.
SMB Signing may also mitigate this type of attack, however this would require some more research on my part to confirm.
Off Broadcast NBNS Spoofing
Using the same NBNS spoofing technique as the Potato exploit, we can perform NBNS spoofing against any host for which we can talk to UDP 137. We simply need to send UDP packets quickly enough to sneak in a valid reply before the NBNS request times out.