Token impersonation is a technique you can use this to impersonate from a service account or normal user to other account like Administrator. This is very useful for attacking scenario when we logged in windows system from a normal account user and we have to gain “Administrator/NT Authority system” access.
Our Target OS: Windows 10 pro/enterprise, windows server 2016
- A target windows box
- kali linux
- Shell from target windows to kali
Basic Info for Token Impersonation:
The account which we have shell for target windows box must have anyone of these privilege.
2. SeAssignPrimaryToken privilege
Target: Windows 10 Pro
First we will take a reverse shell from our kali linux box of target windows 10 Pro system. I just used to exploit a IIS web page so that our track for privilege escalation can be made.
Next target to see what type of user we have and what privilege we have.
Target User: iis apppool/defaultapppool
We have SeImpersonatePrivilege on current user. To exploit the vulnerability we have to check for operating system info and corresponding exploit.
We have windows 10 pro. So juicypotato exploit will work for this OS. Download the exploit from here.
After running this exploit with proper CLSID, we got a NT/Authority System shell. You can find list of CLSIDs from here.
From above screenshot our exploit is working when it is using default BITS CLSID. There are few other services by using their CLSID we can also gain higher privilege shell.
Service Names: TrustedInstaller, Winmgmt
Below two screenshots shows two different CLSID of above mentioned services. And we got a shell.
Using winmgmt CLSID:
Using TrustedInstaller CLSID:
We successfully exploited the target. This vulnerability is patched in newest update for windows 10 Pro. Just like this method we can also exploit windows 10 Enterprise as well as windows server 2016. The only difference is CLSID. MAy be you have to find CLSID for other services that are running with built in “nt/authority system” privilege.