Leverage leaked token handles to perform privilege escalation. This technique has been detailed in this post.
The technique is implemented for the following technologies:
- IIS: A simple ASPX webshell is provided that lists the available user tokens and allows to impersonate them to run an arbitrary executable present in the compromised host.
- MSSQL: A python script is provided that will load several C# assemblies, allowing to manipulate the user tokens available in the MSSQL's process memory.