Nathanule's Write-ups
  • Nathanule's Write-Ups
  • Cheat sheets and Notes
    • Windows Privilege escalation
      • Communication with processes
      • Windows User Privileges
        • Windows Privilege Overview
        • SeImpersonate and SeAssignPrimaryToken
        • SeDebugPrivilege
    • SMTP
    • Directory brute-forcing (Fuzzing web directories)
    • Fuzzing Subdomains and Virtual hosts
    • Pivoting, Tunneling, and Port Forwarding
      • Pivoting around obstacles
      • Branching out our tunnels
      • Cheat sheets
    • Transferring Files
    • Powershell Notes
    • Active Directory Notes/Cheat sheets
      • Initial Enumeration
        • External Recon
          • Hunting E-mail addresses, usernames, credentials
      • External Information Gathering
  • Walk-throughs
    • HTB Windows Machines
      • APT
      • Mantis HTB
      • Reel HTB
      • Flight HTB
      • Visual HTB
      • Worker HTB
      • Fuse HTB
      • Buff HTB
      • Granny HTB
      • Grandpa HTB
      • Optimum HTB
      • Legacy
      • Jerry HTB
      • Silo HTB
      • Sizzle HTB
      • Tally HTB
      • Bart HTB
      • Jeeves HTB
    • HTB Linux Machines
      • Zipping HTB
      • devvortex HTB
      • Magic HTB
      • Bizness HTB
      • Sua
      • Mango HTB
      • Haircut HTB
      • Postman HTB
      • Friendzoned HTB
      • Mirai HTB
      • Networked HTB
      • Popcorn HTB
      • Posion HTB
      • Sunday HTB
      • SwagShop HTB
      • Irked HTB
      • Academy
    • HTB Endgames
      • Hades
      • Xen
      • P.O.O
      • Hololive THM
    • WPE Capstones
      • Querier HTB
      • Bastion HTB
      • Bastard HTB
      • Arctic HTB
      • Alfred THM
    • LPE Capstones
      • Brainpan 1 THM
      • ConvertMyVideo THM
      • Tomghost THM
      • Lazy Admin THM
      • Anonymous THM
    • Mobile
      • APKey
    • Snap-labs (Entry Level Pentesting)
    • Hardware
      • The needle
      • Debugging Interface
    • ICS and SCADA
      • Watersnake
    • Blockchain
      • Survival of the Fittest
Powered by GitBook
On this page
  1. Cheat sheets and Notes
  2. Windows Privilege escalation
  3. Windows User Privileges

SeDebugPrivilege

PreviousSeImpersonate and SeAssignPrimaryTokenNextSMTP

Last updated 1 year ago

  • To run particular applications or services or even assist with troubleshooting as users may be assigned with the SeDebugPrivilege, instead of adding the account to the administrator's group

  • this privilege can both be assigned locally and a domain group policy

  • By default, only administrators are granted with this privilege as it can be used to capture sensitive information from system memory, or access/modify kernel and application structures

  • any account that has the SeDebugPrivilege enabled does have access to critical operating system components.

  • We can utilize ProcDump from the Sysinternals suite to leverage this privilege and dump the process memory. A good candidate is the Local Security Authority Subsystem Service (LSASS) process, which stores users credentials after a user logs into the system

example

.\procdump.exe -accepteula -ma lsass.exe lsass.dmp

  • We can see this was successful, and we can load this into mimikatz using the sekurlsa::minidump command

  • After issuing the sekurlsa::logonPasswords command we gain the NTLM hash of the local administrator account logged on locally

  • It always a good idea to type log befire running any commands in "Mimikatz" this way all the command outputs to a ".txt" file

.\mimikatz.exe
log
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

We can also create a dump file manually if we have RDP access to the machine

  • we can take a manual memory dump of the LSASS process via the task manager, by browsing the Details tab, choosing the LSASS process, and selecting create dump file, then we can download this dump file back to our attack machine