Windows PrivEsc with SeBackupPrivilege Enable

Intro : Hey Guys this is my new Article on Windows Hacking. For all hackers Privilege Escalation is one of the most Important Part. Today I am going to discuss how to abuse SeBackupPrivilege. So let’s Start.

Listing Privileges :

At first after getting a standard Shell on User account we have check all Privileges at First. Here it is below.

So here I found 2 Interesting Privileges are On : SeBackupPrivilege and SeRestorePrivilege. So I check for it as a Specific User and it is On. Here the User is Jmurphy.

Downloading DLL Files :

So to abuse those Privileges we have to download some dll Files in Victim’s Machine. You can get it from Here.

The 2 files are : SeBackupPrivilegeCmdLets.dll and SeBackupPrivilegeUtils.dll

Let’s Hack it :

After that we have to Execute some Command.

Note : Using this Process we will copy and save the SAM and SYSTEM Registry Hive Files without Administrator Access. After that using a Tool called Secretsdump we can easily Dump the Admistrator and other Users Hash just using those SAM and SYSTEM Files.

At First make a Temp Folder in C Drive and save those 2 Files in it.

Then just Execute the Following Commands Below.

Now we are going to save the SAM and SYSTEM files. Use the following commands.

Tip : reg save hklm\sam <path_to_save>

Tip : reg save hklm\system <path_to_save>

Here are those Files.

Now just you have to Download those Files in your VM to Dump it.

Now you can Dump all Hashes using SecretsDump Tool. Do it yourself. :)

SecretsDump Link is Here or Just type this command in your VM → sudo apt install python3-impacket to Download all Impacket Tools.

And that’s it.

THANKS FOR READING!

Happy Hacking~