There are many different ways that local privilege escalation can be done on a Windows system. This video goes over priv esc in the case where a user is given SeBackupPrivilege. This privilege is typically assigned to users in the Backup Operators group and can be used to obtain Administrator NTLM hashes from a machine by reading certain files while acting as a backup. This technique can be very helpful to those studying for the OSCP exam.

Join my Discord server: discord.gg/9CvTtHqWCX
Follow me on Twitter:   / 0xconda  

If you found this video helpful and would like to support future creations, please considering visiting the following links:
Patreon:   / conda  
Buy Me a Coffee: https://www.buymeacoffee.com/conda
Amazon affiliate link (anything purchased through this link will provide me with a small commission): https://amzn.to/3hsHzD2

Diskshadow documentation: https://docs.microsoft.com/enus/wind...
Carbon documentation: http://getcarbon.org/
SeBackupPrivilege GitHub repo: https://github.com/giuliano108/SeBack...

00:00 Vulnerability Explanation
01:05 Windows 10 Workstation Setup
04:45 Windows 10 Workstation Exploit
09:11 Domain Controller Setup
12:37 Domain Controller Exploit