SeImpersonate and SeAssignPrimaryToken
Last updated
Last updated
In Windows, every process has a token that contains information about the particular account that is running it.
these tokens are not considered secure resources, as they are simply just locations in memory that could be brute-forced by users who cannot read memory.
To utilize the token, the SeImpersonate privilege is needed.
Legit programs may utilize another process 's token to escalate from administrator to Local system, Processes generally do this by making a call to the WinLogon process to get a SYSTEM token, then executing itself with that token placing it within the SYSTEM space
Often attackers abuse the SeImpersonate privilege using a "potato style (juicy potato)" privilege escalations, where a service account can SeImpersonate , but not obtain full SYSTEM level privileges.
Pretty much the "Potato" attack tricks the process running as SYSTEM to connect to their process, which hands over the token to be used
we will often find the SeImpersonate privilege enabled
After gaining remote execution via an application that runs in the context of a service account, think like Jenkins, executing commands through mmsql, ASP/ASPX web shells through a web application)
SeImpersonate Example - juicyPotato
scenrio: we have gained an intial foot-hold within the mssql server, The SQL service account is running in the context of the default mssqlserver account, we have acheived command execution through xp_cmdshell using a set of creds we found in a login.sql file on a file share using the snaffer tool
Connecting to the SQL server instance and confirm our privileges
enable xp_cmdshell
Lets check our account privileges
we can see we have the SeImpersonate privilege enabled
we can utilize SeImpersonate to impersonate a privileged account such as NT AUTHORIT/SYSTEM
we can utilize juicy potato to exploit the SeImpersonate or the SeAssignPrimaryToken privileges via DCOM/NTLM reflection abuse
exploiting SeImpersonate with juicyPotato
Lets upload both our juicyPotato and nc64.exe, in our mssql session
Lets start a netcat listener
Lets execute jc.exe (juicyPotato)
-l: is the COM server listening port, a COM server is an executable (EXE or DLL) that implements a set of COM objects and follow standard COM rules to communicate with on another
-p: is the program to launch (cmd.exe)
-a: is the argument passed to cmd.exe
-t: is the createprocess call, we can see we specified * meaning try both CreateProcessWithTokenW(SeImperonate priv) and CreateProcessAsUser(SeAssignPrimaryToken)
Look back at our listener we have a shell as nt authority\system
PrintSpoofer and RoguePotato
JuicyPotato doesnt work on windows server 2019 and windows 10 build 1809 onwards
However PrintSpoofer and RoguePotato can be used to leverage the same privileges and gain NT AUTHORITY\SYSTEM level access
these tools can be used to abuse imperonation privileges on Windows 10 and server 2019
Escalating privileges using PrintSpoofer
we can use this tool to spawn a SYSTEM process in our current console and interact with it, spawn a SYSTEM process on Desktop (if we are utilizing RDP or logged on locally), or even catch a reverse-shell
Again we will connect with impackets mssqlclient
-c: argument to execute, in our case we want to establish a reverse-shell with nc.exe
lets download the juicyPotato binary from
