Detecting LocalPotato (CVE-2023-21746) Privilege Escalation Attacks on Windows

preview_player
Показать описание
You've probably heard about potatoes on Windows -- starting with HotPotato in 2016, followed by RottenPotato, JuicyPotato, and SweetPotato, among many others Potatoes are a collection of privilege escalation attacks on Windows that typically abuse authentication mechanisms, credentials/tokens and services with impersonation privileges. LocalPotato (CVE-2023-21746) is the newest in the potato family, and abuses flaws in the NTLM authentication challenge process that allow arbitrary file reads and writes as system. We'll demonstrate two ways to use LocalPotato to escalate privileges: by copying the SAM/SYSTEM files and dumping password hashes, and a new privilege escalation against the StorSvc service. As always, we'll discuss detection and threat hunting strategies for these attacks.

References:

SnapAttack Content:
  1. SnapAttack
Рекомендации по теме
Detecting LocalPotato (CVE-2023-21746) 0:12:39

Detecting LocalPotato (CVE-2023-21746) Privilege Escalation Attacks on Windows

LocalPotato (CVE-2023-21746) | 0:19:52

LocalPotato (CVE-2023-21746) | Windows Privilege Escalation | TryHackMe

Windows Privilege Escalation 0:48:11

Windows Privilege Escalation Technique ( CVE-2023-21746 - LocalPotato )

0patching Windows 'LocalPotato' 0:00:58

0patching Windows 'LocalPotato' NTLM Elevation of Privilege (CVE-2023-21746)

Hunting for Local 0:08:37

Hunting for Local Privilege Escalation via CVE-2023-21768 | Threat SnapShot

Hacking QuickTip 19 0:10:48

Hacking QuickTip 19 - LocalPotato -NTLM Privilege Escalation

LocalPotato Tryhackme 0:10:38

LocalPotato Tryhackme

CVE 2023 29336 0:00:21

CVE 2023 29336 - Exploit on Windows Server 2016 - Win32k Privilege Escalation Vulnerability

LocalPotato TryHackMe 0:06:39

LocalPotato TryHackMe

Rooting out Juicy, 0:09:19

Rooting out Juicy, Sweet, Efs, and Rotten Potatos from your Windows Environment

LocalPotato by THM 0:46:27

LocalPotato by THM [RU]

Path traversal / 0:00:26

Path traversal / RCE on TitanFTP 1.94.1205 - CVE-2023-22629

'ctftool' Privilege Escalation 0:00:34

'ctftool' Privilege Escalation on Windows 10

User Profile Service 0:06:47

User Profile Service Local Privilege Escalation (CVE-2022-26904) | Threat SnapShot

Exploiting Windows 11 0:00:46

Exploiting Windows 11 with Ancillary Function Driver vulnerability CVE-2023-21768

Certifried Active Directory 0:06:05

Certifried Active Directory Privilege Escalation (CVE-2022-26923) | Threat SnapShot

Exploiting Sudo -A 0:08:10

Exploiting Sudo -A Journey into Privilege Escalation|CVE-2023-22809

[HINDI] CVE-2023-4911 Looney 0:05:07

[HINDI] CVE-2023-4911 Looney Tunables | Buffer Overflow and Local Privilege Escalation | PentestHint

Yet Another Local 0:04:28

Yet Another Local Privilege Escalation Attack via Razer Synapse Installer (CVE-2021-44226)

January 2023 Patch 0:00:53

January 2023 Patch Tuesday: Breakdown of CVE-2023-21674 (Zero-Day)

Exploiting PrintNightmare | 0:08:57

Exploiting PrintNightmare | Privilege Escalation CVE-2021-1675

Russian Malicious Outlook 0:14:13

Russian Malicious Outlook Calendar Invites Targeting Ukraine (CVE-2023-23397) | Threat SnapShot

ThemeBleed Exploit Analysis 0:09:40

ThemeBleed Exploit Analysis (CVE-2023-38146)

0patching the 'Remote 0:01:22

0patching the 'Remote Potato0' Local Privilege Escalation

Комментарии
Автор

Awesome channel. Please keep posting technical news on infosec related matters. It's not for everyone but in time your channel will be sure to grow.

flyingllama
Автор

Hello, I'm the co-author of LocalPotato. Just wanted to point out that the arbitrary file read (in this case does not work unless you're an administrator (as shown in your demo lab) or the machine was not patched against an old vulnerability which permitted a standard user to access the SAM/SYSTEM hive form a shadow copy. Minute 3.21

andreapierini