./kedeshur

Jake Williams works for Rendition Infosec and is a former NSA TAO operartor that’s brining us some knowledge on Windows privilege escalation tricks today. This is a sequel to last year’s Linux Privilege Escalation Tricks talk that Jake gave last year at WWHF. No zero days, just tried and true methods for privilege escalation.

Dave Mayer specializes in red teaming and pen testing. This talk came out of only having a limited number of ports (135, 139, and 445) available on a domain controller during a pen test. Null sessions were identified, domain users were dumped, and the only account recovered was the Backup Operators account in the Backup Operators security group. Typically these accounts have been around for years, haven’t had their password changed since creation, are used to back up a large number of systems across the domain, and may have been migrated from one backup solution to another. Let’s look at how to abuse these permissions to obtain unauthorized access.