birb.from this video
On this post, I simply wish to record an surprisingly working and simple known exploit/misconfig(?) I found to gain Administrator user on an endpoint with a good (at least for me) security perimeter. Now, I forgot a lot of the details, but it was on a Windows server, obviously with default security measures enabled in addition to that billion dollar company's product that I do not wish to name - I will give it codename Bird. Another detail I need to add is that on the last few days of testing this, it seems that the exfiltration part of exploit can be detected although not stopped.
Short story short, it was SeBackupPrivilege enabled on a user, waw so innovative.
Long story long, after identifying SeBackupPrivilege enabled, I didn't use the standard reg save command. What I used was shadowcopy and vss-utils, this exploit has a lot of writeup available, not to mention this is living off the land type of exploit so Windows themselves documented its usage. Using shadow backup and vss-utils I created a new drive Z:\ of C:\ partition this allowed me to copy the usual suspect SAM, SYSTEM, and SECURITY registry. IIRC, it was because using raw copy our friend bird is ranting and screaming that it's not allowed. Next part was how to get the data out, we used two ways first was setting up local network uploadserver, the other by hosting local network SMB Server. Which, funnily enough on some of the first days we exploited it, our friend bird is not angry about.
And yes that's it, not much to talk about on this exploit (despite how proud, happy, elated I and my friend was). Thanks for reading, if you want to know more or wish for me to update this exploit just contact me, because I genuinely think with how much this exploit has been documented I don't need to beat a dead horse more.