BackupOperatorToDA, From An Account Member Of The Group Backup Operators To Domain Admin Without RDP Or WinRM On The Domain Controller.
If you compromise an account member of the group Backup Operators you can become the Domain Admin without RDP or WinRM on the Domain Controller.
All credit from filip_dragovic with his inital POC ! I build this project because I wanted to have a more generic binary with parameters and also being able to export the SAM database on the remote share !
PS C:\Users\mpgn\POC> .\BackupOperatorToDA.exe -h
Backup Operator to Domain Admin (by @mpgn_x64)
This tool exist thanks to @filip_dragovic / https://github.com/Wh04m1001
Mandatory argument:
-t \computer_name (ex: \dc01.pouldard.wizard
-o Where to store the sam / system / security files (can be UNC path)
Optional arguments:
-u Username
-p Password
-d Domain
-h help
Example:
The code is really simple, there is only 3 steps:
RegConnectRegistryA
: Establishes a connection to a predefined registry key on another computer.RegOpenKeyExA
: Opens the specified registry keyRegSaveKeyA
: Saves the specified key and all of its subkeys and values to a new fileThis box was designed by aas_s3curity to exploit a user from the group “Backup Operators” to become domain admin and get the root flag. I search a little bit on the available writeups but all of them where using WinRM to exploit the “Backup Operators” group.
With this POC you don’t need to have an access with WinRM or RPD :
Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…
MODeflattener is a specialized tool designed to reverse OLLVM's control flow flattening obfuscation through static…
"My Awesome List" is a curated collection of tools, libraries, and resources spanning various domains…
CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowed attackers to execute arbitrary…
The blog post "Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals" provides…
The exploitation of CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, relies on…