Abusing Windows Privileges

There are two main privileges to abuse for privilege escalation:

• SeImpersonatePrivilege - this means that the account has the ability to impersonate another client after authentication.
• SeShutdownPrivilege - this means the user can restart the system

You can check privileges with the following command:

whoami /priv
# displays the current user's privileges

You’re ideally looking for SeImpersonatePrivilege or SeShutdownPrivilege as these can lead to privilege escalation:

SeImpersonatePrivilege

This privilege is generally vulnerable to exploitation using PrintSpoofer or the Potato exploits. It’s a privilege that’s often assigned to service accounts, so as well as being a good route to SYSTEM, it can also give you clues as to where to move laterally. If you’re currently accessing a system as a local user without those privileges, you might be able to move laterally to the ‘apache’ user for example as that account is likely to have the SEImpersonatePrivilege.

Exploiting SeImpersonatePrivilege

coming soon!

SeShutdownPrivilege

SeShutdownPrivilege is exactly what it sounds like, the privilege that allows a user to shutdown or restart a system. This comes into play when we need to restart services. This could include DLL hijacking, unquoted service paths and service binary hijacking as the restart will run whatever we replaced.

Exploiting SeShutdownPrivilege

coming soon!