In previous articles, we have used Pass The Hass to perform lateral movement.
This time, lets drop PTH and use token impersonation.
Indeed, if you are lucky enough to be a local admin you can impersonate a token owned by another user currently logged on the same system as you (it could be a terminal server).
That other user may happen to be admin on systems where you currently dont have access to (yet).
Impersonating this user will let you perform lateral movement.
This is as simple as running NTHASH-win64.exe /runastoken /pid:xxx where pid is owned by that other user.
Just keep in mind that you need to be running an elevated shell to do so.
If not done yet, simply run NTHASH-win64.exe /runas before running the command above.
As simple as that : again, no need to know the user password (nor the hash this time).
Once running under the context of this other user you can then run commands like :
And keep moving lateral… or up…