search

Impersonating access tokens

hashtag
Conceptual Overview: Windows Tokens

Tokens are temporary keys that allow a user or process to access a system or network resources without re-entering credentials for every individual action. They act as "cookies for computers" by maintaining an authenticated session.

hashtag
Types of Tokens

The slide identifies two primary types of access tokens used in Windows environments:

Token Type

Utility / Purpose

Delegate

Created for interactive sessions, such as logging directly into a physical machine or using Remote Desktop (RDP).

Impersonate

Created for "non-interactive" tasks, such as automatically attaching a network drive or running a domain logon script.

hashtag
Security Context (Utility)

In the context of the penetration testing workflow seen in your previous screenshots (like using whoami in WSL), understanding tokens is critical for Privilege Escalation and Lateral Movement:

  • Token Theft/Impersonation: If a user with high privileges (like a Domain Admin) has an active Delegate token on a compromised machine, an attacker can "steal" or impersonate that token to gain the same level of access without knowing the admin's password.

  • Automation: Impersonate tokens allow automated services to perform tasks on behalf of a user across the network.

hashtag
Check if you have privilege to impersonate tokens

LogoWindows - Privilege Escalation - Internal All The Thingsswisskyrepo.github.iochevron-right

We can notice that the Administrator user token is available. Impersonate the Administrator user token and read the flag.

PreviousKernel ExploitsNextPotato Attacks

Last updated