search

Impersonate Token

hashtag
Meterpreter Incognito

meterpreter > load incognito

#list all tokens
meterpreter > list_tokens -u

#impersonate token
impersonate_token <complete username>

hashtag
SeImpersonatePrivileges

circle-info

If there is antivirus and you able to bypass AMSI, better use Invoke-ReflectivePEInjection to perform printspoofer.exe or godpotato.exe

But the tricky part is when the exe need arguments, so the tips is modified the exe and remove the arguments by directly execute to a revershell or something else.

This meterpreter will make your live easier:

https://hacker-mind.gitbook.io/hacker-mind/metasploit/meterpreter-tricks#manage-multi-sessionarrow-up-right

hashtag
PrintSpoofer

use this -> https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0arrow-up-right

If you have an interactive shell, you can create a new SYSTEM process in your current console.

Use case: bind shell, reverse shell, psexec.py, etc.

or

If you can execute commands but you don't have an interactive shell, you can create a new SYSTEM process and exit immediately without interacting with it.

Use case: WinRM, WebShell, wmiexec.py, smbexec.py, etc.

hashtag
God Potato (latest one)

LogoGitHub - BeichenDream/GodPotatoGitHubchevron-right

reference:

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokensarrow-up-right

LogoWindows Privilege Escalation — Token Impersonation(SeImpersonatePrivilege)Mediumchevron-right
LogoGitHub - dievus/printspooferGitHubchevron-right

hashtag
Other Privileges

https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperationsarrow-up-right

PreviousPageNextPivoting

Last updated