Privilege Escalation: Impersonate — writeup

Mickey De Baets
3 min readSep 17, 2021

--

After coming home from work and just unwinding for a bit, I opened LinkedIn and immediately saw Pentester Academy’s post on free access to some of their labs. Sweet sweet Windows machines ready to hack! Resting wasn’t an option anymore so I jumped back behind my laptop to give it a shot. In this blog I will show you how I approached it.

Situation

When you connect to the lab you get an in-browser RDP session with a Kali VM and the IP address of your target is on a note on your desktop. The goal is to compromise the target using a Metasploit module and then perform privilege escalation to eventually read the contents of C:\Users\Administrator\Desktop\flag.txt

Attacking

Recon

Obviously we have to start with an Nmap scan. I simply used nmap -sC -sV -O -T4 10.2.22.193 and got the following output:

Foothold

So basically we have SMB, RDP and HTTP open on the machine. Out of habit I checked HTTP first and I found a Rejetto HTTP File Server (HFS), which happens to have a Metasploit module associated to it. Use, options, set rhosts and run was all it took to get a foothold on the machine. (The IP address is different here because I forgot to take screenshots at first 😢)

PrivEsc

As the name of this lab suggests, we’ll probably have to do something with token impersonation next. Luckily for us, it’s oh-so-easy using meterpreter. Using the very clear guide from Offensive Security, we become Administrator in just three steps:

Now just cat the flag and submit! 🥳

Why did this work?

“In a nutshell, tokens are just like web cookies. They are a temporary key that allows you to access the system and network without having to provide credentials each time you access a file. Incognito exploits this the same way cookie stealing works, by replaying that temporary key when asked to authenticate. There are two types of tokens: delegate and impersonate. Delegate tokens are created for ‘interactive’ logons, such as logging into the machine or connecting to it via Remote Desktop. Impersonate tokens are for ‘non-interactive’ sessions, such as attaching a network drive or a domain logon script.”

Source: Offensive Security

This lab was pretty easy and definitely didn’t take very long to complete. It was a nice quick refresher and sure did a good job on showing how quick and smooth Pentester Academy’s labs are!

--

--