SeImpersonatePrivilege
š¤· Abusing SeImpersonate and SeAssignPrimaryToke
In Windows, every process has a token that has information about the account that is running it. These tokens are not considered secure resources, as they are just locations within memory.
To utilize the token, theĀ SeImpersonateĀ privilege is needed. Ā It is only given to administrative accounts.
We will often run into this privilege after gaining remote code execution via an application that runs in the context of a service account.
List our privileges
If the commandĀ whoami /privĀ confirms thatĀ SeImpersonatePrivilegeĀ is listed, we may use it to impersonate a privileged account such asĀ NT AUTHORITY\SYSTEM.
For that there are several tools such asĀ JuicyPotato,Ā PrintSpoofer, orĀ RoguePotatoĀ to escalate toĀ SYSTEMĀ level privileges, depending on the target host.
š„ JuicyPotato: SeImpersonate or SeAssignPrimaryToken
RottenPotatoNGĀ and itsĀ variantsĀ leverages the privilege escalation chain based onĀ BITSĀ serviceĀ having the MiTM listener onĀ 127.0.0.1:6666Ā and when you haveĀ SeImpersonateĀ orĀ SeAssignPrimaryTokenĀ privileges. During a Windows build review we found a setup whereĀ BITSĀ was intentionally disabled and portĀ 6666Ā was taken.
šØļø PrintNightmare
PrintNightmareĀ is the nickname given to two vulnerabilities (CVE-2021-34527Ā andĀ CVE-2021-1675) found in theĀ Print Spooler serviceĀ that runs on all Windows operating systems.
š Print Spooler / PrintSpoofer: SeImpersonatePrivilege + Windows Print Spooler service
The Print Spooler exploitation leverages the Windows Print Spooler service in conjunction with the SeImpersonatePrivilege privilege. The goal is to impersonate a SYSTEM token to escalate privileges. Tools like PrintSpoofer automate this process effectively. Below are detailed steps for exploiting this vulnerability:
Last update: 2025-04-13 Created: April 13, 2025 13:19:01