SeImpersonatePrivilege Token Impersonation

Method 1 - PrintSpoofer.exe

By default, members of the device's local Administrators group and the device's local Service account are assigned the "Impersonate a client after authentication" user right. When you assign the "Impersonate a client after authentication" user right to a user, you permit programs that run on behalf of that user to impersonate a client. This security setting helps to prevent unauthorized servers from impersonating clients that connect to it through methods such as remote procedure calls (RPC) or named pipes.

The privilege escaltion with SeImpersonateprivilege is broken down in 3 steps as follows:

Trick the SYSTEM account to authenticate via NTLM to an endpoint that is controlled by us.
intercept this authentication attempt and locally negotiate security token for SYSTEM account.
Impersonate the tokens that are just been negotiated via MITM. For token impersonation to work, SeImpersonatePrivilege is a must.

When I type whoami /priv in a compromised system I get SeImpersonatePrivilege enabled on the system indicating that token impersonation would work

I download PrintSpoofer.exe (x64 or x86) and uploaded this on the comrpomised system (using smbclient here)

Finally, I just need to traverse to the uploaded directory and run this exploit with the following command:

PrintSpoofer.exe -i -c cmd

Method 2 - Juicy Potato

Covered under potatoes page here.

PreviousWindows Privilege Escalation NextFirefox Creds

Last updated 2 years ago

Was this helpful?