Kali Linux

BackupOperatorToDA : From An Account Member Of The Group Backup Operators To Domain Admin

BackupOperatorToDA, From An Account Member Of The Group Backup Operators To Domain Admin Without RDP Or WinRM On The Domain Controller.

If you compromise an account member of the group Backup Operators you can become the Domain Admin without RDP or WinRM on the Domain Controller.

All credit from filip_dragovic with his inital POC ! I build this project because I wanted to have a more generic binary with parameters and also being able to export the SAM database on the remote share !

PS C:\Users\mpgn\POC> .\BackupOperatorToDA.exe -h
Backup Operator to Domain Admin (by @mpgn_x64)
This tool exist thanks to @filip_dragovic / https://github.com/Wh04m1001
Mandatory argument:
-t \computer_name (ex: \dc01.pouldard.wizard
-o Where to store the sam / system / security files (can be UNC path)
Optional arguments:
-u Username
-p Password
-d Domain
-h help

Example:

  • Using the user RON member of the Backup Operators group on another server than the DC
  • I dump and export the SAM database on the remote share
  • Then I read the SAM file with secretdump
  • An I use the computer account fo the DC to dump the NTDS !

What’s the magic ?

The code is really simple, there is only 3 steps:

  • RegConnectRegistryA : Establishes a connection to a predefined registry key on another computer.
  • RegOpenKeyExA : Opens the specified registry key
  • RegSaveKeyA : Saves the specified key and all of its subkeys and values to a new file

Blackfield from HackTheBox

This box was designed by aas_s3curity to exploit a user from the group “Backup Operators” to become domain admin and get the root flag. I search a little bit on the available writeups but all of them where using WinRM to exploit the “Backup Operators” group.

With this POC you don’t need to have an access with WinRM or RPD :

R K

Recent Posts

Understanding the Model Context Protocol (MCP) and How It Works

Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…

23 hours ago

The file Command – Quickly Identify File Contents in Linux

While file extensions in Linux are optional and often misleading, the file command helps decode what a…

1 day ago

How to Use the touch Command in Linux

The touch command is one of the quickest ways to create new empty files or update timestamps…

1 day ago

How to Search Files and Folders in Linux Using the find Command

Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…

1 day ago

How to Move and Rename Files in Linux with the mv Command

Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…

1 day ago

How to Create Directories in Linux with the mkdir Command

Creating directories is one of the earliest skills you'll use on a Linux system. The mkdir (make…

1 day ago