In your red teaming or pentesting activities escalating to  SYSTEM on a Windows box is always the desired objective. The SYSTEM user is a special operating system user with the highest privilege, many post exploitation techniques require this type of access. Of course, in order to get SYSTEM you have be part of the administrators group…

I just finished playing  with the Rotten Potato C# exploit  in order to get it work standalone that the author  @breenmachine  released the C++ standalone version of  "Rotten Potato". He really did a great job! https://github.com/foxglovesec/RottenPotatoNG  Time for me to play with this new version, dig deeper in some "obscure" Windows API   calls and access tokens …

As promised in the previous post, I will show you how to embed the "lonely potato" in InstallUtil.exe. Why do we need that? Because, as explained here , with Installutil we can call our C# assembly with whatever extension we like, for example ".txt". Cool way to bypass some Application and File restriction policies.... Quick and…

Never heard about the "Rotten Potato"? If not, read this post written by the authors of this fantastic exploit before continuing: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ The mechanism is quite complex, it allows us to intercept the NTLM authentication challenge which occurs during the  DCOM activation through  our endpoint listener and impersonate the user's security access  token  (in this case…

This seems to be  a never ending story but, believe me, there  are so many ways to achieve the same result! This time we are going to use another simple technique for running our powershell scripts without invoking powershell.exe. Introducing MSBuild.exe... MSBuild is a tool included in .Net frameworks for automating the processes of creating…

In your pentesting activities, there are many circumstances where you need to “migrate” your Windows working process, typically a shell,to a different process and some scenarios can be: You have an unstable shell and need to move to a more robust process on the victim's machine (typically explorer.exe which will live until the victim doesn't…

This is the third part of my "powershell-less" series: howto execute powershell scripts without using powershell.exe In part 2 I used  DotNetToJscript  in order to circumvent AppLocker policy. Now let's try to use another technique.  The problem is always the same: we cannot run executable files outside windows directories and  we can't run powershell.exe. Never heard…

In my previous post I showed you how to bypass policy restrictions which won't let you execute powershell.exe. Now let's move on to a more complicated (but realistic) scenario: you can't run exe files located outside the "classic" Windows directories because there is an App Locker policy which won't permit it Say bye-bye to powershell?…

Please don't misunderstand me, you really need Powershell and all it's magic if you are a pentester, don't you? But what can you do if some policy is blocking  access to powershell.exe?  Yes, this is a well known problem and there are many solutions. In my article I just want to focus on a quick…

Article can be found here: From pass the hash to pass the ticket!