Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-12-04 18:40:54 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #972 from krellsebastian/win-token-abuse-SeManageVolumePrivilege

Browse source 
Added SeManageVolumePrivilege to win abuse tokens
This commit is contained in:
SirBroccoli 2024-11-28 11:36:34 +01:00 committed by GitHub
commit f98687a6f6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens/README.md
View file

@ -153,6 +153,15 @@ If you want to get a `NT SYSTEM` shell you could use:
import-module psgetsys.ps1; [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>)
```
### SeManageVolumePrivilege
The `SeManageVolumePrivilege` is a Windows user right that allows users to manage disk volumes, including creating and deleting them. While intended for administrators, if granted to non-admin users, it can be exploited for privilege escalation.
It's possible to leverage this privilege to manipulate volumes, leading to full volume access. The [SeManageVolumeExploit](https://github.com/CsEnox/SeManageVolumeExploit) can be used to give full access to all users for C:\
Additionally, the process outlined in [this Medium article](https://medium.com/@raphaeltzy13/exploiting-semanagevolumeprivilege-with-dll-hijacking-windows-privilege-escalation-1a4f28372d37) describes using DLL hijacking in conjunction with `SeManageVolumePrivilege` to escalate privileges.
By placing a payload DLL `C:\Windows\System32\wbem\tzres.dll` and calling `systeminfo` the dll is executed.
## Check privileges
```