LocalPotato HTTP edition

LocalPotato HTTP edition

Microsoft addressed our LocalPotato vulnerability in the SMB scenario with CVE-2023-21746 during the January 2023 Patch Tuesday. However, the HTTP scenario remains unpatched, as per Microsoft’s decision, and it is still effective on updated systems.
Microsoft 在 2023 年 1 月的星期二补丁期间通过 CVE-2023-21746 解决了 SMB 场景中的 LocalPotato 漏洞。但是,根据 Microsoft 的决定,HTTP 方案仍未修补,并且在更新的系统上仍然有效。

This is clearly an edge case, but it is important to be aware of it and avoid situations that could leave you vulnerable.

In this brief post, we will explain a possible method of performing an arbitrary file write with SYSTEM privileges starting from a standard user by leveraging the context swap in HTTP NTLM local authentication using the WEBDAV protocol.
在这篇简短的文章中,我们将解释一种可能的方法,通过使用 WEBDAV 协议利用 HTTP NTLM 本地身份验证中的上下文交换,从标准用户开始,以 SYSTEM 权限执行任意文件写入。

For all the details about the NTLM Context swapping refer to our previous post.
有关 NTLM 上下文交换的所有详细信息,请参阅我们之前的文章。


First of all, we need to install IIS on our Windows machine and enable Webbav, The following screenshot is taken from Windows 11, but is quite similar on Windows servers as well.
首先,我们需要在 Windows 机器上安装 IIS 并启用 Webbav,以下屏幕截图取自 Windows 11,但在 Windows 服务器上也非常相似。

LocalPotato HTTP edition

Upon enabling WEBDAV, the next step is to create a virtual directory under our root website. In this instance, we’ll name it webdavshare and mount it, for the sake of simplicity, on the C:\Windows directory.
启用 WEBDAV 后,下一步是在我们的根网站下创建一个虚拟目录。在本例中,为了简单起见,我们将它命名为 webdavshare,并将其挂载到 C:\Windows 目录下。

LocalPotato HTTP edition

We need to permit read/write operations on this share by adding an authoring rule:

LocalPotato HTTP edition

Last but not least, we need to enable NTLM authentication and disable all the other methods:
最后但并非最不重要的一点是,我们需要启用 NTLM 身份验证并禁用所有其他方法:

LocalPotato HTTP edition

利用 HTTP/WEBDAV 进行上下文交换

In our latest LocalPotato release, we have added and “hardcoded” this method with http/webdav protocol. The tool will perform an arbitrary file write with SYSTEM privileges in the location specified in the webdav share with a static content of “we always love potatoes”. Refer to the source code for all the details, it’s not black magic LocalPotato HTTP edition
在我们最新的 LocalPotato 版本中,我们使用 http/webdav 协议添加并“硬编码”了此方法。该工具将在 webdav 共享中指定的位置以 SYSTEM 权限执行任意文件写入,静态内容为“我们总是喜欢土豆”。有关所有详细信息,请参阅源代码,这不是黑魔法 LocalPotato HTTP edition

LocalPotato HTTP edition

You can certainly modify the code and tailor it to your specific needs, depending on the situation you encounter LocalPotato HTTP edition
您当然可以修改代码并根据您的特定需求进行定制,具体取决于您遇到 LocalPotato HTTP edition 的情况

原文始发于Decoder's Blog:LocalPotato HTTP edition

版权声明:admin 发表于 2023年11月6日 下午5:37。
转载请注明:LocalPotato HTTP edition | CTF导航