Abusing SeImpersonatePrivilege

by Vince
in Blog
Hits: 298

SeImpersonatePrivilege is one of those rights that I've yet to see used in the real world. 

Per the screenshot below:  'When you assign the "Impersonate a client after authentication" user right to a user, you permit programs that run on behalf of that user to impersonate a client.'  

Start | Programs | Administrative Tools | Local Security Policy
Local Policies | User Rights Assignment
Impersonate a client after authentication

This is what the default looks like:

If we add IIS:

When we get a shell through IIS, we land on the system.  

When we run "whoami /priv", we see that we have SeImpersonatePrivilege:

There are a number of avenues for exploitation but in this instance, we're going to use PrintSpoofer:

We download PrintSpoofer from Github, we compile it, and then we host the binary on our C2 server. 

We execute PrintSpoofer:

And we've escalated to SYSTEM.