Hello, I'm the co-author of LocalPotato. Just wanted to point out that the arbitrary file read (in this case \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\system32\config\...) does not work unless you're an administrator (as shown in your demo lab) or the machine was not patched against an old vulnerability which permitted a standard user to access the SAM/SYSTEM hive form a shadow copy. Minute 3.21
@@randovideos8423 The fact is that the localpotato is running in an elevated shell (see at minute 3.21 the cmd box: Administrator). We never implemented the smb arbitrary read (it's up to you and then yes you could read the shadow copy as SYSTEM user), only the smb arbitrary write, thus making it impossible for a standard user to read via a simple fopen() the SAM/SYSTEM hive unless the machine was not patched
Awesome channel. Please keep posting technical news on infosec related matters. It's not for everyone but in time your channel will be sure to grow.
Hello, I'm the co-author of LocalPotato. Just wanted to point out that the arbitrary file read (in this case \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\system32\config\...) does not work unless you're an administrator (as shown in your demo lab) or the machine was not patched against an old vulnerability which permitted a standard user to access the SAM/SYSTEM hive form a shadow copy. Minute 3.21
He says at 7:54 that the user is rpcclient?
@@randovideos8423 The fact is that the localpotato is running in an elevated shell (see at minute 3.21 the cmd box: Administrator). We never implemented the smb arbitrary read (it's up to you and then yes you could read the shadow copy as SYSTEM user), only the smb arbitrary write, thus making it impossible for a standard user to read via a simple fopen() the SAM/SYSTEM hive unless the machine was not patched