SeImpersonate and SeAssignPrimaryToken

SeImpersonate

Allows a process to impersonate another user's context by obtaining an impersonation token from another process, often temporarily and usually while staying within the same session.

To utilize the token, the SeImpersonate privilege is needed. This privilege is often assigned to service accounts.

This privilege is also known as ""Impersonate a client after authentication".

https://github.com/ohpe/juicy-potato/releases

Legitimate programs may utilize another process's token to escalate from Administrator to Local System. Processes generally do this by making a call to the WinLogon process to get a SYSTEM token, then executing itself with that token placing it within the SYSTEM space

SeAssignPrimaryToken

Allows a process to assign a primary token to a newly created process, effectively running it as a different user. This is typically used for creating a new session.

To assign the token, the SeAssignPrimaryToken privilege is needed.

JuicyPotato Attack

Tricks a process running as SYSTEM to connect to their process, which hands over the impersonation token to be used by either SeImpersonate or SeAssignPrimaryToken

Juicy Potato act as a rogue COM server (A COM server is any object that provides services to clients).

If we only have SeAssignPrimaryToken, JuicyPotato will go an extra step to convert the impersonation token into a restricted token (which is considered as primary) and spawn a new process.

Launch attack

To catch a reverse shell

  • -l specifies the port for the rogue COM server

  • -p is the program to launch

  • -a are the arguments passed to the program to launch

  • -t is the createprocess call

    • With this Juicy Potato will try both the CreateProcessWithTokenW and CreateProcessAsUser functions, which need SeImpersonate or SeAssignPrimaryToken privileges respectively.

PrintSpoofer and RoguePotato

JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards. However, PrintSpoofer and RoguePotato can be used to leverage the same privileges.

Launch Attack

To catch a reverse shell with PrintSpoofer:

Previous2 - Attack User PrivilegesNextSeDebug

Last updated