SeTakeOwnershipPrivilege

What is SeTakeOwnershipPrivilege?

• SeTakeOwnershipPrivilege is a Windows privilege that allows users to take ownership of objects, such as files, folders, or registry keys, even if they do not have explicit permissions to do so. Once ownership is taken, the user can modify the object's permissions to grant themselves full control, effectively bypassing access restrictions.

• Key Command:

  • whoami /priv → Use this command to check if SeTakeOwnershipPrivilege is enabled for your user account.

Exploiting SeTakeOwnershipPrivilege

If a user has SeTakeOwnershipPrivilege, they can take control of sensitive objects like system files or critical processes and modify their permissions to gain access or execute arbitrary commands. Here's how you can exploit this privilege to escalate your privileges:

PS C:\htb> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                                              State
============================= ======================================================= ========
SeTakeOwnershipPrivilege      Take ownership of files or other objects                Disabled

If privilege is disabled, we can enable it using this script https://github.com/proxb/PoshPrivilege/blob/master/PoshPrivilege/Scripts/Enable-Privilege.ps1

PS C:\> Import-Module .\Enable-Privilege.ps1
PS C:\> .\EnableAllTokenPrivs.ps1
PS C:\> whoami /priv

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                              State
============================= ======================================== =======
SeTakeOwnershipPrivilege      Take ownership of files or other objects Enabled

1. Taking Ownership of Files or Directories

SeTakeOwnershipPrivilege allows you to change ownership of a file or folder, giving you the ability to modify or access restricted files. After taking ownership, you can change its Discretionary Access Control List (DACL) to grant yourself full control.

Steps to Exploit SeTakeOwnershipPrivilege on Files:

1. Take Ownership of a File or Directory:

   Use the takeown command to take ownership of a file or directory.

   Command:

   Example:

   This command changes the ownership of the specified file to your user account.

2. Grant Yourself Full Control Over the File:

   After taking ownership, modify the file's permissions using the icacls command to give yourself full control.

   Command:

   Example:

   • /grant → Grants full control (F) over the file to the specified user.

3. Modify or Access the File:

   After granting yourself full control, you can now edit, delete, or access the file as needed. For example, you can now modify sensitive system files like hosts, or even replace system executables with malicious ones to gain SYSTEM-level privileges.

2. Taking Ownership of Registry Keys

You can also use SeTakeOwnershipPrivilege to modify ownership and permissions of critical registry keys, which may allow you to escalate privileges.

Steps to Exploit Registry Keys:

1. Take Ownership of a Registry Key:

   Use regedit or PowerShell to change the ownership of a registry key. You can take ownership of sensitive keys such as those related to user accounts, services, or startup configurations.

   Example in PowerShell:

   This changes the ownership of the key, allowing you to modify startup settings or other critical configurations.

2. Modify Permissions:

   After taking ownership, modify the permissions to grant yourself full control. You can now alter the key's values to execute malicious code, start services with SYSTEM privileges, or add new startup entries.