Maybe you know that feeling of getting completely lost in the endless rabbit hole an extremely indepth HTB course can throw you in. Even if not, you know that whatever you consume, the info-to-funfact ratio has to be atleast 80/20 for you to be worth it.
Working through the HackTheBox Windows Privilege Escalation module,
I kept hitting the same problem: too much content, no clear signal on what actually matters when you're only starting out. So here's the distilled version.
The Privilege & Group Reference
| Privilege / Group | What it gets you | How | Tool |
|---|---|---|---|
SeImpersonatePrivilege |
SYSTEM via token impersonation | Service accounts have it by default — MSSQL, IIS, anything running as a service | PrintSpoofer, SigmaPotato |
SeAssignPrimaryTokenPrivilege |
SYSTEM via token impersonation | Same accounts, same story | Potato family |
SeDebugPrivilege |
Every credential cached in memory | Read/write any process including LSASS | mimikatz + procdump |
SeTakeOwnershipPrivilege |
Any file on the system | Claim ownership of TrustedInstaller-protected files | takeown + icacls |
SeBackupPrivilege |
Any file regardless of ACL | Designed for backup software, abusable for NTDS.dit | robocopy /B |
Backup Operators (group) |
Same as SeBackupPrivilege | Group grants the privilege automatically | robocopy /B |
Event Log Readers (group) |
Plaintext creds from process logs | Event ID 4688 logs full command lines — passwords typed inline stay there | wevtutil |
DnsAdmins (group) |
SYSTEM via DNS service | Load a malicious DLL on DNS restart — DNS runs as SYSTEM | msfvenom + dnscmd |
Server Operators (group) |
SYSTEM via service hijack | Reconfigure any LocalSystem service binary path | sc.exe |
| UAC bypass | Full admin token without prompt | DLL hijack via writable PATH + auto-elevating Microsoft binary | msfvenom + rundll32 |
Run
whoami /all, not justwhoami /priv.
Group membership grants privileges just as effectively as direct assignment,
and it's checked far less often.
One fun little gotcha that cost me the most time
In PowerShell, sc is an alias for Set-Content.
Running sc stop dns creates a file called stop containing the text dns.
Always use sc.exe explicitly when talking to the Service Control Manager.
Full walkthrough with real shell output, failed attempts, and the reasoning
behind every step:
👉 Windows PrivEsc 02 on niklas-heringer.com
Top comments (0)