Token Impersonation:

Token impersonation is a technique you can use this to impersonate from a service account or normal user to other account like Administrator. This is very useful for attacking scenario when we logged in windows system from a normal account user and we have to gain “Administrator/NT Authority system” access.

Our Target OS: Windows 10 pro/enterprise, windows server 2016

Prerequisite:

  1. A target windows box
  2. kali linux
  3. Shell from target windows to kali

Basic Info for Token Impersonation:

The account which we have shell for target windows box must have anyone of these privilege.

1. SeImpersonatePrivilege

2. SeAssignPrimaryToken privilege

Target: Windows 10 Pro

Step:1

First we will take a reverse shell from our kali linux box of target windows 10 Pro system. I just used to exploit a IIS web page so that our track for privilege escalation can be made.

Step:2

Next target to see what type of user we have and what privilege we have.

Target User: iis apppool/defaultapppool

We have SeImpersonatePrivilege on current user. To exploit the vulnerability we have to check for operating system info and corresponding exploit.

Step:3

We have windows 10 pro. So juicypotato exploit will work for this OS. Download the exploit from here.

Exploit link ==> windows-10-pro-EXPLOIT

Step:4

After running this exploit with proper CLSID, we got a NT/Authority System shell. You can find list of CLSIDs from here.

CLSID list ==> CLSID

From above screenshot our exploit is working when it is using default BITS CLSID. There are few other services by using their CLSID we can also gain higher privilege shell.

Service Names: TrustedInstaller, Winmgmt

Below two screenshots shows two different CLSID of above mentioned services. And we got a shell.

Using winmgmt CLSID:

Using TrustedInstaller CLSID:

We successfully exploited the target. This vulnerability is patched in newest update for windows 10 Pro. Just like this method we can also exploit windows 10 Enterprise as well as windows server 2016. The only difference is CLSID. MAy be you have to find CLSID for other services that are running with built in “nt/authority system” privilege.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp
Share on telegram
Telegram
Share on pinterest
Pinterest

Leave a Comment