Forked from here. Modified to act as a pwncat-windows-c2 plugin, and also not trigger Windows Defender when loaded reflectively.
BadPotato leaks a system token handle through the MS RPN API, which can be used to get NT AUTHORITY\SYSTEM access if you have the SeImpersonatePrivilege.
https://github.com/vletoux/pingcastle
https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/