![]() ![]() The RPC binding string changed from to host from host. ![]() Starting from Wind& Windows Server 2019, its no more possible to query the OXID resolver on a port different than 135 OXID resolver is part of “rpcss” service and runs on port 135. The main thing that Server 2019 broke was that by changing how the system can contact the OXID resolver. decoder keeps a blog on decoder.cloud with several really detailed posts diving into the Windows internals for how impersonation works, and how it is exploited with these exploits, and that is the place to go to get deep into all of this. It is actually an improved and more flexible adaptation of RottenPotatoNG and lonelypotato. JuicyPotato abused SeImpersonate or SeAssignPrimaryToken privileges to get execution as SYSTEM. I’ll dig into that and show what happened as well. While in the middle of this post, I also watched IppSec’s video where he tries to use RoguePotato on Remote in a way that worked but shouldn’t have, raising a real mystery. ![]() ![]() I didn’t have time last week to add it to my Remote write-up, so I planned to do a follow up post to show it. When I originally solved Remote back in March, RoguePotato had not yet been released. But Microsoft changed things in Server 2019 to brake JuicyPotato, so I was really excited when splinter_code and decoder came up with RoguePotato, a follow-on exploit that works around the protections put into place in Server 2019. JuicyPotato was a go-to exploit whenever I found myself with a Windows shell with SeImpersonatePrivilege, which typically was whenever there was some kind of webserver exploit. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |