Add getsystem technique 6 Named Pipe Impersonation (Efs variant - AKA EfsPotato)

cdelafuente-r7 · cdelafuente-r7 · commit f804a589707f · 2022-06-14T15:31:15.000+02:00
diff --git a/lib/rex/post/meterpreter/extensions/priv/priv.rb b/lib/rex/post/meterpreter/extensions/priv/priv.rb
@@ -30,7 +30,8 @@ def self.extension_id
     named_pipe_2: 2,
     token_dup: 3,
     named_pipe_rpcss: 4,
-    named_pipe_print_spooler: 5
+    named_pipe_print_spooler: 5,
+    named_pipe_efs: 6
   }.freeze
 
   #
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb
@@ -24,6 +24,7 @@ class Console::CommandDispatcher::Priv::Elevate
   ELEVATE_TECHNIQUE_SERVICE_TOKENDUP        = 3
   ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE_RPCSS = 4
   ELEVATE_TECHNIQUE_NAMEDPIPE_PRINTSPOOLER  = 5
+  ELEVATE_TECHNIQUE_NAMEDPIPE_EFS           = 6
 
   ELEVATE_TECHNIQUE_DESCRIPTION =
     [
@@ -32,7 +33,8 @@ class Console::CommandDispatcher::Priv::Elevate
       'Named Pipe Impersonation (Dropper/Admin)',
       'Token Duplication (In Memory/Admin)',
       'Named Pipe Impersonation (RPCSS variant)',
-      'Named Pipe Impersonation (PrintSpooler variant)'
+      'Named Pipe Impersonation (PrintSpooler variant)',
+      'Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)'
     ]
 
   #
diff --git a/modules/post/windows/escalate/getsystem.rb b/modules/post/windows/escalate/getsystem.rb
@@ -33,7 +33,7 @@ def initialize(info = {})
     )
 
     register_options([
-      OptInt.new('TECHNIQUE', [false, "Specify a particular technique to use (1-5), otherwise try them all", 0])
+      OptInt.new('TECHNIQUE', [false, "Specify a particular technique to use (1-6), otherwise try them all", 0])
     ])
   end
 

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,8 @@ def self.extension_id`
`30`	`30`	`named_pipe_2: 2,`
`31`	`31`	`token_dup: 3,`
`32`	`32`	`named_pipe_rpcss: 4,`
`33`		`- named_pipe_print_spooler: 5`
	`33`	`+ named_pipe_print_spooler: 5,`
	`34`	`+ named_pipe_efs: 6`
`34`	`35`	`}.freeze`
`35`	`36`
`36`	`37`	`#`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ class Console::CommandDispatcher::Priv::Elevate`
`24`	`24`	`ELEVATE_TECHNIQUE_SERVICE_TOKENDUP = 3`
`25`	`25`	`ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE_RPCSS = 4`
`26`	`26`	`ELEVATE_TECHNIQUE_NAMEDPIPE_PRINTSPOOLER = 5`
	`27`	`+ ELEVATE_TECHNIQUE_NAMEDPIPE_EFS = 6`
`27`	`28`
`28`	`29`	`ELEVATE_TECHNIQUE_DESCRIPTION =`
`29`	`30`	`[`
`@@ -32,7 +33,8 @@ class Console::CommandDispatcher::Priv::Elevate`
`32`	`33`	`'Named Pipe Impersonation (Dropper/Admin)',`
`33`	`34`	`'Token Duplication (In Memory/Admin)',`
`34`	`35`	`'Named Pipe Impersonation (RPCSS variant)',`
`35`		`- 'Named Pipe Impersonation (PrintSpooler variant)'`
	`36`	`+ 'Named Pipe Impersonation (PrintSpooler variant)',`
	`37`	`+ 'Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)'`
`36`	`38`	`]`
`37`	`39`
`38`	`40`	`#`
Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ def initialize(info = {})`
`33`	`33`	`)`
`34`	`34`
`35`	`35`	`register_options([`
`36`		`- OptInt.new('TECHNIQUE', [false, "Specify a particular technique to use (1-5), otherwise try them all", 0])`
	`36`	`+ OptInt.new('TECHNIQUE', [false, "Specify a particular technique to use (1-6), otherwise try them all", 0])`
`37`	`37`	`])`
`38`	`38`	`end`
`39`	`39`