RIO
  • Welcome
    • RIO
    • Useful Links
  • PENTESTING
    • Methodology
    • Protocols
      • FTP
      • SMB
      • NFS
      • SSH
      • RDP
      • SMTP
      • IMAP / POP3
      • RSYNC
      • SNMP
      • IPMI
      • R-Services
      • WinRM
      • WMI
      • LDAP
    • Databases
      • MySQL
      • MSSQL
      • Oracle TNS
      • PostgreSQL
    • File Transfers
      • Windows
      • Linux
      • Code
      • Misc
    • Password Attacks
      • John The Ripper
      • Hashcat
    • Docker
  • TOOLS
    • Nmap
    • Metasploit
    • BloodHound
    • Other
  • Linux
    • Theory
    • Commands and Utilities
      • Useful Commands
    • Bash Scripting
    • Post-Exploitation
      • Cred Hunting
      • Pivoting
    • Privilege Escalation
  • WINDOWS
    • Theory
      • Security
    • Commands and Utilities
    • PowerShell
    • Post-Exploitation
      • Tools
      • Enumeration
        • System
        • Network
        • Users
        • Groups
        • Processes / Services
        • Permissions
        • Defence
        • Programs
        • Files
      • Access
      • Pivoting
      • Cred Hunting
    • Privilege Escalation
      • Privileges
      • Built-In Groups
        • Backup Operators
        • Server Operators
        • Print Operators
        • DnsAdmins
        • Event Log Readers
      • Privilege Abuse
        • Potatoes
        • SeDebugPrivilege
        • SeTakeOwnershipPrivilege
      • MISC
        • UAC Bypass
        • User-Interaction Attacks
        • Weak Permissions
  • ACTIVE DIRECTORY
    • Theory
      • Terminology
    • Reconnaissance
      • Responder
      • Password Policies
      • DNS
      • Enumeration
        • Users
        • Groups
          • GPO's
        • Shares
        • Domain
        • Trusts
        • ACL
    • Movement
      • Credentials
        • Dumping
          • DCSync
        • Making a Target List
        • Spraying
        • Powershell Remoting
      • Kerberos
        • Kerbrute
        • Kerberoasting
          • Semi-Manual Way
          • Targeted Kerberoasting
        • ASREProasting
        • Forging
          • Golden Ticket
        • Overpass The Hash
        • Pass The Ticket
        • noPAC
      • MITM / Coerced Auths
        • LLMNR, NBT-NS Poisoning
        • PetitPotam
      • DACL Abuse
        • AddMember
        • ForceChangePassword
      • Trust Abuse
        • ExtraSIDs
      • ADCS
      • Printers
        • PrintNightmare
    • Tools
  • Networking
    • Theory
      • Types / Topologies
      • OSI & TCP/IP Models
      • TCP / UDP
      • MAC Addresses
      • IP / Subnetting
      • Proxies
      • ARP
    • Pivoting
      • Port-Forwarding
    • Commands and Utilities
    • Techniques
  • WEB
    • Web Recon
      • Fuzzing
    • DNS
  • CLOUD
    • Google GKE/GCP
      • Theory
Powered by GitBook
On this page
  • About
  • Enable Privilege
  • Accessing sensible file
  1. WINDOWS
  2. Privilege Escalation
  3. Privilege Abuse

SeTakeOwnershipPrivilege

PreviousSeDebugPrivilegeNextMISC

About

SeTakeOwnershipPrivilege allows a user to assume ownership of any "securable object", including Active Directory objects, NTFS files and folders, printers, registry keys, services, and processes. This privilege grants WRITE_OWNER permissions on an object, enabling the user to modify its ownership within the security descriptor. By default, administrators possess this privilege. While it is uncommon for a standard user account to have this privilege, it may be assigned to service accounts responsible for tasks such as running backup jobs and managing VSS snapshots.

Enable Privilege

For this we would use this script: 

PS C:\> Import-Module .\Enable-Privilege.ps1
PS C:\> .\EnableAllTokenPrivs.ps1

Accessing sensible file

Checking directory ownership

PS C:\> cmd /c dir /q 'C:\Share'

Taking ownership

PS C:\> takeown /f 'C:\Shares\file.txt'

Confirming Ownership Changed

PS C:\> Get-ChildItem -Path 'C:\Share\file.txt' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}

Modifying File's ACL

PS C:\> icacls 'C:\Share\file.txt' /grant venator17:F
[LINK]