Nathanule's Write-ups
  • Nathanule's Write-Ups
  • Cheat sheets and Notes
    • Windows Privilege escalation
      • Communication with processes
      • Windows User Privileges
        • Windows Privilege Overview
        • SeImpersonate and SeAssignPrimaryToken
        • SeDebugPrivilege
    • SMTP
    • Directory brute-forcing (Fuzzing web directories)
    • Fuzzing Subdomains and Virtual hosts
    • Pivoting, Tunneling, and Port Forwarding
      • Pivoting around obstacles
      • Branching out our tunnels
      • Cheat sheets
    • Transferring Files
    • Powershell Notes
    • Active Directory Notes/Cheat sheets
      • Initial Enumeration
        • External Recon
          • Hunting E-mail addresses, usernames, credentials
      • External Information Gathering
  • Walk-throughs
    • HTB Windows Machines
      • APT
      • Mantis HTB
      • Reel HTB
      • Flight HTB
      • Visual HTB
      • Worker HTB
      • Fuse HTB
      • Buff HTB
      • Granny HTB
      • Grandpa HTB
      • Optimum HTB
      • Legacy
      • Jerry HTB
      • Silo HTB
      • Sizzle HTB
      • Tally HTB
      • Bart HTB
      • Jeeves HTB
    • HTB Linux Machines
      • Zipping HTB
      • devvortex HTB
      • Magic HTB
      • Bizness HTB
      • Sua
      • Mango HTB
      • Haircut HTB
      • Postman HTB
      • Friendzoned HTB
      • Mirai HTB
      • Networked HTB
      • Popcorn HTB
      • Posion HTB
      • Sunday HTB
      • SwagShop HTB
      • Irked HTB
      • Academy
    • HTB Endgames
      • Hades
      • Xen
      • P.O.O
      • Hololive THM
    • WPE Capstones
      • Querier HTB
      • Bastion HTB
      • Bastard HTB
      • Arctic HTB
      • Alfred THM
    • LPE Capstones
      • Brainpan 1 THM
      • ConvertMyVideo THM
      • Tomghost THM
      • Lazy Admin THM
      • Anonymous THM
    • Mobile
      • APKey
    • Snap-labs (Entry Level Pentesting)
    • Hardware
      • The needle
      • Debugging Interface
    • ICS and SCADA
      • Watersnake
    • Blockchain
      • Survival of the Fittest
Powered by GitBook
On this page
  1. Cheat sheets and Notes
  2. Windows Privilege escalation
  3. Windows User Privileges

Windows Privilege Overview

Rights and Privileges in windows

GROUPS

Group

Description

Default Administrators

Domain Admins and Enterprise Admins are "super" groups.

Server Operators

Members can modify services, access SMB shares, and backup files.

Backup Operators

Members are allowed to log onto DCs locally and should be considered Domain Admins. They can make shadow copies of the SAM/NTDS database, read the registry remotely, and access the file system on the DC via SMB. This group is sometimes added to the local Backup Operators group on non-DCs.

Print Operators

Members can log on to DCs locally and "trick" Windows into loading a malicious driver.

Hyper-V Administrators

If there are virtual DCs, any virtualization admins, such as members of Hyper-V Administrators, should be considered Domain Admins.

Account Operators

Members can modify non-protected accounts and groups in the domain.

Remote Desktop Users

Members are not given any useful permissions by default but are often granted additional rights such as Allow Login Through Remote Desktop Services and can move laterally using the RDP protocol.

Remote Management Users

Members can log on to DCs with PSRemoting (This group is sometimes added to the local remote management group on non-DCs).

Group Policy Creator Owners

Members can create new GPOs but would need to be delegated additional permissions to link GPOs to a container such as a domain or OU.

Schema Admins

Members can modify the Active Directory schema structure and backdoor any to-be-created Group/GPO by adding a compromised account to the default object ACL.

DNS Admins

User Rights Assignment

Setting Name

Standard Assignment

Description

SeNetworkLogonRight

Administrators, Authenticated Users

Determines which users can connect to the device from the network. This is required by network protocols such as SMB, NetBIOS, CIFS, and COM+.

SeRemoteInteractiveLogonRight

Administrators, Remote Desktop Users

This policy setting determines which users or groups can access the login screen of a remote device through a Remote Desktop Services connection. A user can establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server.

SeBackupPrivilege

Administrators

This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.

SeSecurityPrivilege

Administrators

This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user assigned this user right can also view and clear the Security log in Event Viewer.

SeTakeOwnershipPrivilege

Administrators

This policy setting determines which users can take ownership of any securable object in the device, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.

SeDebugPrivilege

Administrators

This policy setting determines which users can attach to or open any process, even a process they do not own. Developers who are debugging their applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating system components.

SeImpersonatePrivilege

Administrators, Local Service, Network Service, Service

This policy setting determines which programs are allowed to impersonate a user or another specified account and act on behalf of the user.

SeLoadDriverPrivilege

Administrators

This policy setting determines which users can dynamically load and unload device drivers. This user right is not required if a signed driver for the new hardware already exists in the driver.cab file on the device. Device drivers run as highly privileged code.

SeRestorePrivilege

Administrators

This security setting determines which users can bypass file, directory, registry, and other persistent object permissions when they restore backed up files and directories. It determines which users can set valid security principals as the owner of an object.

We can list the avaliable rights we have as a user on the system by utilizing the whoami command

whoami
whomai /priv

  • Users privileges increased based on the groups they are part of, or their assigned particular privileges as a user

PreviousWindows User PrivilegesNextSeImpersonate and SeAssignPrimaryToken

Last updated 1 year ago

Members can load a DLL on a DC, but do not have the necessary permissions to restart the DNS server. They can load a malicious DLL and wait for a reboot as a persistence mechanism. Loading a DLL will often result in the service crashing. A more reliable way to exploit this group is to .

Setting

At times we may see a privilege but its configured to be disabled there is at times where we can enable the particular privilege using scripts such as which can we used to enable certian privileges and which can be used to adjust token privileges

https://www.powershellgallery.com/packages/PoshPrivilege/0.3.0.0/Content/Scripts%5CEnable-Privilege.ps1
https://www.leeholmes.com/adjusting-token-privileges-in-powershell/
create a WPAD record
Constant
Access this computer from the network
Allow log on through Remote Desktop Services
Back up files and directories
Manage auditing and security log
Take ownership of files or other objects
Debug programs
Impersonate a client after authentication
Load and unload device drivers
Restore files and directories