Invoke-Backup.ps1

This time we will be looking at Invoke-Backup.ps1 a script written by OvergrownCarrot1 (OGC) and can be found at the following address:

https://github.com/overgrowncarrot1/Invoke-Everything/blob/main/invoke-backup.ps1

The first step to exploit a backup operator is to find a backup operator, we can do this with and whoami /groups. If the current user, or a user you have a password for, falls into a backup operator we can run the script to be able to automate much of the backup operator process.

Notice above that the sec user is part of Backup Operators.

Let’s put invoke-backup.ps1 into memory and start the invoke-backup.ps1 script with invoke-backup.

We can see that the script calls for the attacker IP address.

When we start the script the following happens:

We are then told to start an SMB server on the attacker machine

You can see in the above that the security policy has stopped us from sending the files back to our attacker machine. That is ok, let’s try to copy the files to another location and try some other things.

As you can see, we have copied the files into the share, from there we connected to the share with the credentials we have for the backup user.

Now that we have the files back on our machine, we can run secrets dump.

Looks like the script worked perfectly. Thanks for reading and hopefully the script works just as well for you.