Awesome
BadPotato
Forked from here. Modified to act as a pwncat-windows-c2 plugin, and also not trigger Windows Defender when loaded reflectively.
BadPotato leaks a system token handle through the MS RPN API, which can be used to get NT AUTHORITY\SYSTEM
access if you have the SeImpersonatePrivilege
.
Upstream Sources
https://github.com/vletoux/pingcastle
https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/