🆓Windows User Privileges
The below diagram walks through the Windows authorization and access control process at a high level, showing, for example, the process started when a user attempts to access a securable object such as a folder on a file share.
These rights allow users to perform tasks on the system such as logon locally or remotely, access the host from the network, shut down the server, etc.
Setting Constant | Setting Name | Standard Assignment |
SeNetworkLogonRight | Administrators, Authenticated Users | |
SeRemoteInteractiveLogonRight | Administrators, Remote Desktop Users | |
SeBackupPrivilege | Administrators | |
SeSecurityPrivilege | Administrators | |
SeTakeOwnershipPrivilege | Administrators | |
SeDebugPrivilege | Administrators | |
SeImpersonatePrivilege | Administrators, Local Service, Network Service, Service | |
SeLoadDriverPrivilege | Administrators | |
SeRestorePrivilege | Administrators |
Typing the command whoami /priv
will give you a listing of all user rights assigned to your current user.
When a privilege is listed for our account in the Disabled
state, it means that our account has the specific privilege assigned. Still, it cannot be used in an access token to perform the associated actions until it is enabled. we need some scripting to help us out.
this PowerShell script which can be used to enable certain privileges, or this script which can be used to adjust token privileges.
SeImpersonate and SeAssignPrimaryToken
the Potato attack tricks a process running as SYSTEM to connect to their process, which hands over the token to be used. This paper is worth reading for further details on token impersonation attacks.
SeImpersonate Example - JuicyPotato
In this scenario, the SQL Service service account is running in the context of the default mssqlserver
account. Imagine we have achieved command execution as this user using xp_cmdshell
using a set of credentials obtained in a logins.sql
file on a file share using the Snaffler
tool.
Using the credentials sql_dev:Str0ng_P@ssw0rd!
we connect to the SQL instance:
Next, we must enable the xp_cmdshell
stored procedure to run operating system commands.
we can confirm that we are indeed running in the context of a SQL Server service account ->
let's check what privileges the service account has been granted.
JuicyPotato can be used to exploit the SeImpersonate
or SeAssignPrimaryToken
first download the JuicyPotato.exe
binary and upload this and nc.exe
to the target server. Next, stand up a Netcat listener on port 8443
An don our listener ->
PrintSpoofer and RoguePotato
JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards. However, PrintSpoofer and RoguePotato can be used to leverage the same privileges and gain NT AUTHORITY\SYSTEM
level access. This blog post goes in-depth on the PrintSpoofer
tool
Again, connect with mssqlclient.py
and use the tool with the -c
argument to execute a command. Here, using nc.exe
to spawn a reverse shell (with a Netcat listener waiting on our attack box on port 8443).
and if everything works fine our listener will catch this
Escalate privileges using one of the methods shown in this section. Submit the contents of the flag file located at c:\Users\Administrator\Desktop\SeImpersonate\flag.txt
Last updated