BackupOperatorToolkit – The BackupOperatorToolkit Contains Different Techniques Allowing You To Escalate From Backup Operator To Domain Admin
The BackupOperatorToolkit contains different techniques allowing you to escalate from Backup Operator to Domain Admin.
The BackupOperatorToolkit (BOT) has 4 different mode that allows you to escalate from Backup Operator to Domain Admin.
Use “runas.exe /netonly /user:domain.dkbackupoperator powershell.exe” before running the tool.
The DSRM mode will set the DsrmAdminLogonBehavior
The DUMP mode will dump the SAM, SYSTEM, and SECURITY hives to a local path on the remote host or upload the files to a network share.
Once the hives have been dumped you could PtH with the Domain Controller hash, crack DSRM and enable network auth, or possibly authenticate with another account found in the dumps. Accounts from other forests may be stored in these files, I’m not sure why but this has been observed on engagements with
The IFEO (Image File Execution Options) will enable you to run an application when a specifc process is terminated.
This could grant a shell before the SERVICE mode will in case the target host is heavily utilized and rarely rebooted.
The executable will be running as a child to the WerFault.exe process.
.BackupOperatorToolkit.exe IFEO notepad.exe \PathTopwn.exe \TARGET.DOMAIN.DK