In the Windows Privilege Escalation module it is stated that “After performing these changes, we would want to make every effort to revert the permissions/file ownership.”, but does not explain how to revert the changes made.
I ran the following to find the owner of the file:
cmd /c dir /q '..\TheFolder\'
Volume in drive C has no label.
Volume Serial Number is 0C92-675B
Directory of C:\TheFolder
06/04/2021 10:23 AM <DIR> WINLPE-SRV01\sccm_svc .
06/04/2021 10:23 AM <DIR> NT SERVICE\TrustedInsta..
06/04/2021 10:24 AM 22 ... file.txt
Then to take ownership:
takeown /f 'file.txt'
icacls 'file.txt' /grant htb-student:F
To revert, I tried:
icacls file.txt /setowner "NT SERVICE\TrustedInstaller"
file.txt: This security ID may not be assigned as the owner of this object.
Attempting to set the owner to “WINLPE-SRV01\sccm_svc” did not work either.
I tried to change the ownership in the GUI, Properties->Security->Advanced->Owner: Change, but this action prompts for the administrator password.
Am I doing something wrong, or would it be necessary to escalate to administrator before I can revert the changes?