InfoSec LAB

Access_User_Privileges_svc_mssql

Created: 2 min read

svc_mssql

Checking for privileges of the mssql user after making the lateral movement

PS C:\Windows\system32> whoami /all
whoami /all
 
USER INFORMATION
----------------
 
User Name        SID                                         
================ ============================================
access\svc_mssql S-1-5-21-537427935-490066102-1511301751-1104
 
 
GROUP INFORMATION
-----------------
 
Group Name                                 Type             SID          Attributes                                        
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Group used for deny only                          
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192                                                    
 
 
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                Description                      State   
============================= ================================ ========
SeMachineAccountPrivilege     Add workstations to domain       Disabled
SeChangeNotifyPrivilege       Bypass traverse checking         Enabled 
SeManageVolumePrivilege       Perform volume maintenance tasks Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set   Disabled
 
 
USER CLAIMS INFORMATION
-----------------------
 
User claims unknown.
 
Kerberos support for Dynamic Access Control on this device has been disabled.

The svc_mssql user has the SeManageVolumePrivilege privilege

SeManageVolumePrivilege

According to the Microsoft documentation, the SeManageVolumePrivilege privilege deals with volume-level management operations

Vulnerabilities

Looking further into it reveals that the SeManageVolumePrivilege privilege can be abused for privilege escalation

It would appear that there are several methods available Moving on to the Privilege Escalation phase

Interactive Graph View

Backlinks