Invoke-Tater - Empire Module
This page contains detailed information about how to use the powershell/privesc/tater Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-Tater
Module: powershell/privesc/tater
Source code [1]: empire/server/modules/powershell/privesc/tater.yaml
Source code [2]: empire/server/data/module_source/privesc/Invoke-Tater.ps1
MITRE ATT&CK:
T1187
Language: PowerShell
Needs admin: No
OPSEC safe: No
Background: Yes
Tater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit from @breenmachine and @foxglovesec.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the tater module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the tater module:
Agent
Agent to run module on.
Command
Command to execute during privilege escalation. Do not wrap in quotes and use PowerShell character escapes where necessary.
Additional Module Options
This is a list of additional options that are supported by the tater module:
ExhaustUDP
Enable/Disable UDP port exhaustion to force all DNS lookups to fail in order to fallback to NBNS resolution (Y/N).
HTTPPort
TCP port for the HTTP listener.
Default value: 80.
Hostname
Hostname to spoof. WPAD.DOMAIN.TLD may be required by Windows Server 2008.
Default value: WPAD.
IP
Specific local IP address for NBNS spoofer.
NBNS
Enable/Disable NBNS bruteforce spoofing (Y/N).
NBNSLimit
Enable/Disable NBNS bruteforce spoofer limiting to stop NBNS spoofing while hostname is resolving correctly (Y/N).
RunTime
Run time duration in minutes.
SpooferIP
IP address included in NBNS response. This is needed when using two hosts to get around an in-use port 80 on the privesc target.
TaskDelete
Enable/Disable scheduled task deletion for trigger 2. If enabled, a random string will be added to the taskname to avoid failures after multiple trigger 2 runs.
Taskname
Scheduled task name to use with trigger 2. If you observe that Tater does not work after multiple trigger 2 runs, try changing the taskname.
Default value: Empire.
Trigger
Trigger type to use in order to trigger HTTP to SMB relay. 0 = None, 1 = Windows Defender Signature Update, 2 = Windows 10 Webclient/Scheduled Task.
WPADDirectHosts
Comma separated list of hosts to include as direct in the wpad.dat file. Note that localhost is always listed as direct. Add the Empire host to avoid catching Empire HTTP traffic.
WPADPort
Proxy server port to be included in the wpad.dat file.
Default value: 80.
Tater Example Usage
Here's an example of how to use the tater module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/privesc/tater
Author Kevin Robertson
Background True
Comments https://github.com/Kevin-Robertson/Tater
Description Tater is a PowerShell implementation of the Hot Potato Windows
Privilege Escalation exploit from @breenmachine and @foxglovesec.
Language powershell
Name powershell/privesc/tater
NeedsAdmin False
OpsecSafe False
Techniques http://attack.mitre.org/techniques/T1187
,Record Options---,--------,----------,-------------------------------------,
| Name | Value | Required | Description |
|-----------------|--------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|-----------------|--------|----------|-------------------------------------|
| Command | | True | Command to execute during privilege |
| | | | escalation. Do not wrap in quotes |
| | | | and use PowerShell character |
| | | | escapes where necessary. |
|-----------------|--------|----------|-------------------------------------|
| ExhaustUDP | N | False | Enable/Disable UDP port exhaustion |
| | | | to force all DNS lookups to fail in |
| | | | order to fallback to NBNS |
| | | | resolution (Y/N). |
|-----------------|--------|----------|-------------------------------------|
| HTTPPort | 80 | False | TCP port for the HTTP listener. |
|-----------------|--------|----------|-------------------------------------|
| Hostname | WPAD | False | Hostname to spoof. WPAD.DOMAIN.TLD |
| | | | may be required by Windows Server |
| | | | 2008. |
|-----------------|--------|----------|-------------------------------------|
| IP | | False | Specific local IP address for NBNS |
| | | | spoofer. |
|-----------------|--------|----------|-------------------------------------|
| NBNS | Y | False | Enable/Disable NBNS bruteforce |
| | | | spoofing (Y/N). |
|-----------------|--------|----------|-------------------------------------|
| NBNSLimit | Y | False | Enable/Disable NBNS bruteforce |
| | | | spoofer limiting to stop NBNS |
| | | | spoofing while hostname is |
| | | | resolving correctly (Y/N). |
|-----------------|--------|----------|-------------------------------------|
| RunTime | | False | Run time duration in minutes. |
|-----------------|--------|----------|-------------------------------------|
| SpooferIP | | False | IP address included in NBNS |
| | | | response. This is needed when using |
| | | | two hosts to get around an in-use |
| | | | port 80 on the privesc target. |
|-----------------|--------|----------|-------------------------------------|
| TaskDelete | Y | False | Enable/Disable scheduled task |
| | | | deletion for trigger 2. If enabled, |
| | | | a random string will be added to |
| | | | the taskname to avoid failures |
| | | | after multiple trigger 2 runs. |
|-----------------|--------|----------|-------------------------------------|
| Taskname | Empire | False | Scheduled task name to use with |
| | | | trigger 2. If you observe that |
| | | | Tater does not work after multiple |
| | | | trigger 2 runs, try changing the |
| | | | taskname. |
|-----------------|--------|----------|-------------------------------------|
| Trigger | 1 | False | Trigger type to use in order to |
| | | | trigger HTTP to SMB relay. 0 = |
| | | | None, 1 = Windows Defender |
| | | | Signature Update, 2 = Windows 10 |
| | | | Webclient/Scheduled Task |
|-----------------|--------|----------|-------------------------------------|
| WPADDirectHosts | | False | Comma separated list of hosts to |
| | | | include as direct in the wpad.dat |
| | | | file. Note that localhost is always |
| | | | listed as direct. Add the Empire |
| | | | host to avoid catching Empire HTTP |
| | | | traffic. |
|-----------------|--------|----------|-------------------------------------|
| WPADPort | 80 | False | Proxy server port to be included in |
| | | | the wpad.dat file. |
'-----------------'--------'----------'-------------------------------------'
(Empire: usemodule/powershell/privesc/tater) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/privesc/tater) > set Command SomeCommand
[*] Set Command to SomeCommand
(Empire: usemodule/powershell/privesc/tater) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
- Kevin Robertson
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/privesc/tater.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/privesc/Invoke-Tater.ps1
- https://github.com/Kevin-Robertson/Tater
- http://attack.mitre.org/techniques/T1187
- https://github.com/foxglovesec/Potato
See Also
Check also the following modules related to this module:
- powershell/privesc/bypassuac
- powershell/privesc/bypassuac_env
- powershell/privesc/bypassuac_tokenmanipulation
- powershell/privesc/winPEAS
- powershell/privesc/sweetpotato
- powershell/privesc/ms16-135
- powershell/privesc/ask
- powershell/privesc/bypassuac_wscript
- powershell/privesc/mcafee_sitelist
- powershell/privesc/privesccheck
- powershell/privesc/sherlock
- powershell/privesc/ms16-032
- powershell/privesc/bypassuac_eventvwr
- powershell/privesc/zerologon
- powershell/privesc/printdemon
- powershell/privesc/getsystem
- powershell/privesc/gpp
- powershell/privesc/bypassuac_sdctlbypass
- powershell/privesc/watson
- powershell/privesc/bypassuac_fodhelper
- powershell/privesc/printnightmare
- powershell/privesc/powerup/service_exe_useradd
- powershell/privesc/powerup/write_dllhijacker
- powershell/privesc/powerup/service_stager
- powershell/privesc/powerup/service_exe_restore
- powershell/privesc/powerup/service_exe_stager
- powershell/privesc/powerup/find_dllhijack
- powershell/privesc/powerup/service_useradd
- powershell/privesc/powerup/allchecks
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.
