Windows Privilege Escalation - SeImpersonate [sql_dev does not have token permission]

Hello,

The question for the SeImpersonate section ask to logon as “sql_dev” and to escalate privileges using one of the methods shown in this section. Submit the contents of the flag file located at c:\Users\Administrator\Desktop\SeImpersonate\flag.txt.

First, I was not able to RDP using the sql_dev account. I connected with htb-student and ran cmd as sql_dev.

However, the sql_dev user does not have the SeImpersonate nor SeAssignPrimaryToken tokens:

C:\Users\htb-student>whoami
winlpe-srv01\sql_dev

C:\Users\htb-student>whoami /priv

PRIVILEGES INFORMATION

Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

C:\Users\htb-student>

Am I missing something? Can someone please advise?

Thank you,
raff

This is still broken unfortunately - I also cannot RDP in as sql_dev. The other creds (htb-student) work fine.

If anybody can post some tips it’d be appreciated :slight_smile:

Actually, having spent more time on this - you’re not supposed to RDP into the box, you’re supposed to use mssqlclient from impacket, using Windows auth, then the creds work!

As with many other modules’ content, it’s clear that English wasn’t the native language of whoever wrote the instructions though :D. HTB should really invest in editors at least :sweat_smile:. You see that as one of the points that consistently come up in Youtube reviews of the platform.

Hi, I’m stuck at this point. I have connected through mssqlclient and it tells me that I correctly create the process listening on port 8443. But then from my terminal, the nc -lnvp 8443 does not connect me. Could you help me please?

When doing reverse shells you’re supposed to start the listener on the machine you’re attacking from first. Then you can trigger the process on the target host.

1 Like

Exactly, I did it the other way around. Thanks a lot!!!

Can’t connect through mssqlcient.py,

Password:
[*] Encryption required, switching to TLS
[-] ERROR(WINLPE-SRV01\SQLEXPRESS01): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

Could someone help?

Hi, could you solve this problem?

impacket-mssqlclient slq_dev:'Str0ng_P@ssw0rd!'@$TARGET -windows-auth

impacket-mssqlclient slq_dev@$TARGET -windows-auth

I also tried different versions of impacket, but with the same result.

I’m guessing you may have already figured it out

it’s not “SLQ_DEV” but “SQL_DEV”

try again, should work fine

the amount of times it’s a simple typo