📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • SeBackup
  • SeTakeOwnership / SeRestore
  • Utilman.exe exploit
  • SeImpersonate / SeAssignPrimaryToken
  • printSpooler.exe exploit
  • SeLoadDriver
  • SeManageVolume
  1. Windows PrivEsc

Exploitable privileges

SeBackup

Allows an user to read of ownership or permissions. This permission can be exploited to dump the SAM and SECURITY files and crack them to obtain plaintext credentials

SeTakeOwnership / SeRestore

Allows an user to gain ownership over any any element of the system including files and registry keys. This privilege allows an attacker to replace any executable running as a SYSTEM service with a malicious program to execute commands as an elevated user.

Utilman.exe exploit

takeown /f C:\Windows\System32\Utilman.exe
icacls C:\Windows\System32\Utilman.exe /grant THMTakeOwnership:F
copy cmd.exe C:\Windows\System32\Utilman.exe

After locking and unlocking the account we will be greeted with a SYSTEM shell.

SeImpersonate / SeAssignPrimaryToken

Allows an user to impersonate and spawn processes under the context of other users on the machine. Can be exploited with Juicy Potato and similar techniques.

printSpooler.exe exploit

Download the appropriate exe file from here. Then run the following command to obtain a SYSTEM shell

PrintSpoofer.exe -i -c cmd

SeLoadDriver

Allows to load arbitrary drivers. Can be exploited by loading drivers with known vulnerabilities. in order to load a service in memory download and compile the following exploit and invoke it as follows

.\EOPLOADDRIVER.exe System\CurrentControlSet\MyService <path to sys file>

Exploitable drivers

  • szkg64.sys

  • Capcom.sys

SeManageVolume

Allows to manage permissions on volumes. Can be exploited to change ownership of all files under C:\ to the current user. The following steps allow to run a payload under SYSTEM user

  1. Download compile and execute the PoC here

  2. Write a custom DLL to C:\Windows\System32\wbem\tzres.dll

  3. Trigger the payload under SYSTEM by executing systeminfo

PreviousClient sideNextJuicy Potato

Last updated 2 years ago