SeTakeOwnership

SeTakeOwnershipPrivilege grants a user the ability to take ownership of any "securable object," meaning Active Directory objects, NTFS files/folders, printers, registry keys, services, and processes. This privilege assigns WRITE_OWNER rights over an object, meaning the user can change the owner within the object's security descriptor.

Administrators are assigned this privilege by default. It's rare to see it on regular accounts but service accounts can have it as well as backup operators (along with other privileges).

Abusing this privilege is a bit of an edge case but can be good to know for accessing files we're not supposed to...

Enabling the privilege

The privilege is disabled by default and can be enabled using this script which is detailed in this blog post, as well as this one which builds on the initial concept.

Launch Attack: Changing ownership of a credentials file

We use the takeown windows binary to take ownership of the file

takeown /f 'C:\Department Shares\Private\IT\cred.txt'

Now that we have ownership, we can grant ourselves full privileges:

icacls 'C:\Department Shares\Private\IT\cred.txt' /grant htb-student:F

Files to look at

c:\inetpub\wwwwroot\web.config
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav

PreviousSeDebug NextSeManageVolume

Last updated 2 years ago