[BUG] - PrintSpoofer

Question

[BUG] - PrintSpoofer

b4b857f6ee opened this issue 4 years ago · comments

b4b857f6ee commented 4 years ago

Description

I'm trying to use the PrintSpoofer exploit but i can't get the shell i got a strange answer of PoshC2

This one : https://github.com/itm4n/PrintSpoofer

Execution Environment:

All of this must be filled in

Data	Value
Full Posh version (all the text between the === at the top of the Implant Handler)	6.0 implante .exe migrate
OS & version	Ubuntu 18.04
Using Docker/containerisation?	No docker

Implant Info

What implant does the problem occur on? PowerShell/C#/Python
How was the implant created? Running a default payload? Inject-shellcode? Custom payload? Default payload

Defensive Technologies

Windows Defender (...)

To Reproduce

Steps to reproduce the behavior:

'Infecte the computer'
'upload the generate exploit from https://github.com/itm4n/PrintSpoofer'
'execute the exploit like this -i -c powershell'
See error in posh return

Expected behavior

get the system NT authority shell.

Screenshots

Local exploit : (WORK in blue)
PoshC2 exploit (Failed in black)

Attach files if required

Additional context

b4b857f6ee · Answer 1 · Mon Jul 27 2020 22:10:39 GMT+0800 (China Standard Time)

I found i can disable the firewall but i can't relaunch the payload it's not working to have a second implant :/...
I found we can start the command "startanotherimplant but nothing helpfull.

RiskyDissonance · Answer 2 · Mon Jul 27 2020 22:30:30 GMT+0800 (China Standard Time)

It looks like you're trying to create an interactive prompt using PrintSpoofer (-i), which you're not going to be able to do down C2 as it's not an interactive process?

b4b857f6ee · Answer 3 · Mon Jul 27 2020 22:42:31 GMT+0800 (China Standard Time)

It's because i am on the same console on the 1st screen and i can interact. I don't know how the C2 payload can handle it.
But another things i wan thinking is launching the same payload with the exploit. With the exploit i can modify the firewall policy for exemple but when i try to launch the payload, it's not working. Maybe i need to launch it with option?

RiskyDissonance · Answer 4 · Wed Jul 29 2020 16:52:55 GMT+0800 (China Standard Time)

But you're also passing the -i interactive flag when you call it down PoshC2, and it looks like all that command is then doing is calling powershell.exe (which is an interactive process), is that correct? I'm not sure if it's just been obfuscated or not.

I'd try calling the PrintSpoofer binary without the -i flag and then for example calling one of the Posh payload executables or similar, something that doesn't launch an interactive process.

b4b857f6ee · Answer 5 · Thu Jul 30 2020 15:32:22 GMT+0800 (China Standard Time)

Oh i manage to make it work.
So even if i can't get a shell, i can launch 2 implants an do a reverse shell.
My solution was to prepare a Implant using a pre-configure proxy because the nt authority\system don't use the system proxy by default. And i have my implant with the nt authority\system on the PoshC2 cli :). i just launch the implant with the proxy preconfigure with the printspoofer -c and that's all.
So it's work for me in this case, and this is not really a bug (maybe)

RiskyDissonance · Answer 6 · Thu Jul 30 2020 17:53:56 GMT+0800 (China Standard Time)

Sweet, glad it's working!