During a Windows 10 post-exploitation phase you obtain a reverse shell running as an unprivileged local user. The command "whoami /priv" shows that the SeImpersonatePrivilege is present and enabled. You must gain NT AUTHORITY\SYSTEM access to dump LSASS, but you want to avoid writing new files to disk or modifying any existing configuration. Which privilege-escalation approach best meets these requirements?
Upload and load an unsigned kernel-mode driver with "sc create" to obtain ring-0 code execution.
Invoke "runas /netonly /user:Administrator cmd.exe" to open an elevated command prompt.
Exploit SeImpersonatePrivilege by spawning a named-pipe or COM server and impersonating the connecting SYSTEM service token (Potato-style attack).
Replace the executable in an unquoted service path and restart the affected service to run your payload.
SeImpersonatePrivilege allows a user to impersonate the security context of another process after authentication. Potato-family attacks (Juicy Potato, PrintSpoofer, Rogue Potato) exploit this privilege by creating a rogue COM or named-pipe server, tricking a SYSTEM service into connecting, and then impersonating the incoming SYSTEM token. Because the technique can run entirely from memory with no on-disk artifacts, it satisfies the requirement to avoid writing files or changing settings. The runas command would still demand the Administrator password, an unquoted service-path exploit needs a writable directory and file placement, and loading an unsigned driver both requires a file on disk and is blocked by driver-signature enforcement without SeLoadDriverPrivilege.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SeImpersonatePrivilege in Windows?
Open an interactive chat with Bash
What is a Potato-style attack in privilege escalation?
Open an interactive chat with Bash
Why can't you use 'runas /netonly /user:Administrator' for this scenario?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
System Hacking Phases and Attack Techniques
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .