This is another post in the BADministration series where we’ll be exploring Acronis Backup from an offensive standpoint. As always, before going further, one thing I would like to make clear – this is not an Acronis issue or vulnerability. This post instead discusses features and architecture issues, similar to spanning a trusted domain to a less-trusted network. Also once again, a shout-out to CherryDarkness for all the help. Video is at the bottom.
BADministration – https://github.com/ThunderGunExpress/BADministration
Gaining access to the backup solution can be critical during an offensive engagement. Any account with access to a backup share (or server) can mount images to read information from the backed up filesystem, and by extension, local system hashes. These shares or servers can provide an attacker with a potential escalation path, or at a minimum, privileged information about the organization’s security and administrative configurations. However, this post is not about leveraging backup shares, it’s about leveraging the backup server itself!
Other related offsec management application posts: