incursi0n/GodPotatoBOF
GitHub: incursi0n/GodPotatoBOF
这是一个基于 GodPotato 的 Cobalt Strike BOF,用于利用 SeImpersonate 权限进行本地提权。
Stars: 170 | Forks: 18
# GodPotatoBOF
[GodPotato](https://github.com/BeichenDream/GodPotato) 的 Cobalt Strike Beacon Object File 移植版本。
该 BOF 触发 GodPotato 提权流程,并支持两种行为:
- 默认模式:窃取 SYSTEM 令牌并生成进程以运行命令
- `token` 模式:窃取 SYSTEM 令牌并通过 `BeaconUseToken()` 将其应用于当前的 Beacon
## 入门
1. Git clone 该仓库
2. 运行 `make`
## 使用说明
1. 将 `godpotato.cna` 导入 Cobalt Strike
2. 使用 CNA 别名执行该 BOF
```
godpotato [token] [-cmd ] [-pipe ]
```
参数说明:
```
(none) Run "cmd /c whoami" as SYSTEM.
token Apply a SYSTEM token to the current Beacon with BeaconUseToken().
-cmd Run a command as SYSTEM in a spawned process.
-pipe Use a custom named pipe. Default is a random pipe name.
help,-h,--help,/? Show this help.
```
示例:
```
godpotato
godpotato token
godpotato help
godpotato -cmd "cmd /c whoami /priv"
godpotato -cmd "cmd /c whoami" -pipe "mycustompipe"
```
致谢:
- https://github.com/BeichenDream/GodPotato
- https://github.com/MEhrn00/boflink
- https://github.com/trustedsec/CS-Situational-Awareness-BOF/tree/master/src/base_template
- https://github.com/CodeXTF2/bof_template
标签:BOF, Cobalt Strike, CoInitializeEx, COM, COM劫持, Conpot, DCOM, GodPotato, Linux, SeImpersonate, SYSTEM, Token Impersonation, Web报告查看器, Windows安全, 令牌窃取, 协议分析, 命令执行, 客户端加密, 提权, 攻击诱捕, 权限提升, 欺骗防御, 系统权限