This is just another Potato to get SYSTEM via SeImpersonate privileges.

Related tags

Miscellaneous MultiPotato
Overview

MultiPotato

First of all - credit to @splinter_code & @decoder_it for RoguePotato as this code heavily bases on it.

This is just another Potato to get SYSTEM via SeImpersonate privileges. But this one is different in terms of

  • It doesn't contain any SYSTEM auth trigger for weaponization. Instead the code can be used to integrate your favorite trigger by yourself.
  • It's not only using CreateProcessWithTokenW to spawn a new process. Instead you can choose between CreateProcessWithTokenW, CreateProcessAsUserW, CreateUser and BindShell.

So this project is able to open up a NamedPipe Server, impersonates any user connecting to it and afterwards does one of the options mentioned above. If any new SYSTEM auth triggers are published in the future this tool can still be used to elevate privileges - you just need to use another Pipe-Name in this case.

Examples:

  1. CreateUser with modified PetitPotam trigger:
c:\temp\MultiPotato> MultiPotato.exe -t CreateUser

You have by default value 60 secconds (changable via THEAD_TIMEOUT) to let the SYSTEM account or any other account authenticate. This can be done for example via an unpatched MS-EFSRPC function. By default MultiPotato listens on the pipename \\.\pipe\pwned/pipe/srvsvc which is meant to be used in combination with MS-EFSRPC. For other SYSTEM auth triggers you can adjust this value via the -p parameter.

c:\temp\MultiPotato> PetitPotamModified.exe localhost/pipe/pwned localhost

Using PetitPotam.py as trigger from a remote system with a valid low privileged user is of course also possible.

alt text

  1. CreateProcessAsUserW with SpoolSample trigger:
c:\temp\MultiPotato> MultiPotato.exe -t CreateProcessAsUserW -p "pwned\pipe\spoolss" -e "C:\temp\stage2.exe"

And trigger it via

c:\temp\MultiPotato>MS-RPRN.exe \\192.168.100.150 \\192.168.100.150/pipe/pwned

alt text

Important: In my testings for MS-RPRN I could not use localhost or 127.0.0.1 as target, this has to be the network IP-Adress or FQDN. In addition the Printer Service needs to be enabled for this to work.

  1. BindShell with SpoolSample PipeName
c:\temp\MultiPotato> MultiPotato.exe -t BindShell -p "pwned\pipe\spoolss"

alt text

alt text

Why??

I recently had a penetrationtest, where I was able to pwn a MSSQL Server via SQL-Injection and XP_CMDShell. But all public Potatoes failed on this target system to elevate privileges from service-account to SYSTEM. The System auth trigger was not the problem - instead CreateProcessWithTokenW failed all the time with NTSTATUS Code 5 - access forbidden. This didn't really makes sense for me and may be an edge case. One reason for that could be the local endpoint protection which may have blocked the process creation after impersonating SYSTEM.

Therefore I searched for alternatives - and asked some people on Twitter about it. Again Credit to @splinter_code for explaining me how to do it via CreateProcessAsUserW which worked fine on the pwned MSSQL server to get a SYSTEM C2-Callback.

You might also like...
Yet another abstraction layer - a general purpose C++ library.

Yet Another Abstraction Layer What yaal is a cross platform, general purpose C++ library. This library provides unified, high level, C++ interfaces an

Marcin Konarski 14 Jul 27, 2022
Yet another Hi-C scaffolding tool

YaHS: yet another Hi-C scaffolding tool Overview YaHS is scaffolding tool using Hi-C data. It relies on a new algothrim for contig joining detection w

null 55 Dec 19, 2022
YARP - Yet Another Robot Platform

YARP __ __ ___ ____ ____ \ \/ // || _ \ | _ \ \ // /| || |/ / | |/ / / // ___ || _ \ | _/ /_//_/ |_||_| \_\|_| ===================

Robotology 445 Dec 18, 2022
YACHT: Yet Another C++ Helper Template

YACHT: Yet Another C++ Helper Template A template for C++ projects. Welcome to your YACHT! Because why build a boat from scratch, when you can enjoy a

Dimitri Belopopsky 11 Apr 2, 2022
Han: ANother SOLOminer
Han: ANother SOLOminer

HAN Han: ANother SOLOminer WARNING: you may have to wait longer than the current age of the universe to find a valid block. Introduction HAN is a solo

Valerio Vaccaro 9 Nov 6, 2022
Yet another matrix client. Click packaging for locally running on Ubuntu Touch

Cinny Click Packaging Cinny is a Matrix client focusing primarily on simple, elegant and secure interface. License Cinny source package licensed under

Nitan Alexandru Marcel 6 Nov 15, 2022
WIP: ESP32 powered robot dog, quadruped robot. This is just code, hardware in the other repositories
WIP: ESP32 powered robot dog, quadruped robot. This is just code, hardware in the other repositories

Small Robot dog (quadruped) Hardware ESP32 IMU (not implemented) 12 servos TowerPro mg90d (hope it will work) Two 18650 Software Arduino IDE compatibl

Gleb Devyatkin 74 Dec 22, 2022
This is an experimental OS-from-scratch project. Just for demonstration, not useful at all.
This is an experimental OS-from-scratch project. Just for demonstration, not useful at all.

OS Playground This is an experimental OS-from-scratch project. Just for demonstration, not useful at all. Different from OS in other projects, this OS

null 5 Nov 5, 2022
Just a basic Offsets and Netvar dumper for Apex Legends
Just a basic Offsets and Netvar dumper for Apex Legends

Not much to say just an Apex Legends Offsets + Netvar Dumper, it should survive some game updates and also it gave to you almost all you need to updat

dhanax26 59 Dec 31, 2022
Owner
Pentesting, scripting and pwning!
null
GitHub
Just another short video app (not tiktok) but 3 in 1.

Short videos app - India Another short videos app for Hindi audience. Made with 3 different apis: Moj app Josh app Chingari app Authetication No authe

Not Your Surya 2 Jan 6, 2022
Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin.

RemotePotato0 Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin. RemotePotato0 is an exploit that allows you to escalate

null 1.1k Dec 28, 2022
Get air quality & CO2 data from SM300D2 & Senseair S8 with ESP32, and export as OpenMetrics (Prometheus exporter) via WiFi.

ESP Air Sensor Get air quality & CO2 data from SM300D2 & Senseair S8 with ESP32, and export as OpenMetrics (Prometheus exporter) via WiFi. I used to h

Shell Chen 4 Feb 6, 2022
Sysfex - Another system information tool written in C++

Sysfex Another neofetch-like system information fetching tool for linux-based systems written in C++ Installation To install this program using the pr

Mehedi Rahman Mahi 110 Dec 24, 2022
Serial Data Monitor is a multiplatform (Windows, Linux, Mac, ...) tool to interactively receive/edit/monitor data and send commands to an embedded system via the serial bus

See wiki for full documentation Serial Data Monitor Description Serial Data Monitor is a multiplatform (Windows, Linux, Mac, ...) tool to interactivel

monnoliv 4 Oct 29, 2021
Yet another alarm (control) panel for Home Assistant.

HASS-YAAP Yet another alarm (control) panel for Home Assistant. Change alarm system mode (away, home, night, disarmed) Welcome people arriving by thei

Paul-Vincent Roll 48 Dec 4, 2021
Another version of EVA using anti-debugging techs && using Syscalls

EVA2 Another version of EVA using anti-debugging techs && using Syscalls First thing: Dont Upload to virus total. this note is for you and not for me.

null 273 Dec 26, 2022
Yet Another Ghidra Integration for IDA

Yagi Yet Another Ghidra Integration for IDA Overview Yagi intends to include the wonderful Ghidra decompiler into both IDA pro and IDA Free. ?? You ca

Airbus CERT 390 Dec 8, 2022
Another try to re-create Project Astoria , or some bridge between A and W...

Bridge 1.0.10.0 Forked from: https://github.com/DroidOnUWP/Bridge Abstract Another "Project Astoria" remake (UWP) Original status: Forgotten (?) My ac

Media Explorer 6 Nov 15, 2022
Subtract one PE file from another!

PEDiffGen A simple PE subtraction utility. PEDiffGen.exe <pe1> <pe2> <output> The above command generates the result of pe1 - pe2 in memory (as in, m

null 19 Nov 26, 2022