Abusing SeImpersonatePrivilege

by Vince
in Blog
Hits: 83

SeImpersonatePrivilege is one of those rights that I've yet to see used in the real world. 

Per the screenshot below:  'When you assign the "Impersonate a client after authentication" user right to a user, you permit programs that run on behalf of that user to impersonate a client.'  



Start | Programs | Administrative Tools | Local Security Policy
Local Policies | User Rights Assignment
Impersonate a client after authentication

This is what the default looks like:



If we add IIS:



When we get a shell through IIS, we land on the system.  

When we run "whoami /priv", we see that we have SeImpersonatePrivilege:



There are a number of avenues for exploitation but in this instance, we're going to use PrintSpoofer:



We download PrintSpoofer from Github, we compile it, and then we host the binary on our C2 server. 

We execute PrintSpoofer:



And we've escalated to SYSTEM.