Skip to content

incursi0n/GodPotatoBOF

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
common
common
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
beacon.h
beacon.h
 
 
boflink
boflink
 
 
entry.c
entry.c
 
 
godpotato.cna
godpotato.cna
 
 

Repository files navigation

GodPotatoBOF

A Beacon Object File port of GodPotato for Cobalt Strike.

This BOF triggers the GodPotato privilege escalation flow and supports two behaviors:

  • default mode: steal a SYSTEM token and spawn a process to run a command
  • token mode: steal a SYSTEM token and apply it to the current Beacon with BeaconUseToken()

To start

  1. Git clone the repo
  2. Run make

Usage

  1. Import godpotato.cna into Cobalt Strike
  2. Execute the BOF with the CNA alias
godpotato [token] [-cmd <command>] [-pipe <name>]

Argument summary:

(none)             Run "cmd /c whoami" as SYSTEM.
token              Apply a SYSTEM token to the current Beacon with BeaconUseToken().
-cmd <cmd>         Run a command as SYSTEM in a spawned process.
-pipe <name>       Use a custom named pipe. Default is a random pipe name.
help,-h,--help,/?  Show this help.

Examples:

godpotato
godpotato token
godpotato help
godpotato -cmd "cmd /c whoami /priv"
godpotato -cmd "cmd /c whoami" -pipe "mycustompipe"

Credits:

About

Cobalt Strike BOF used to perform privilege escalation by exploiting the SeImpersonate privilege. Based on the original GodPotato PoC by BeichenDream.

Resources

Readme

License

MIT license
Activity

Stars

260 stars

Watchers

1 watching

Forks

32 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages