Omni$
Checking for user privileges after gaining a foothold
ps c:\windows\system32> whoami /all
whoami /all
whoami : The term 'whoami' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or
if a path was included, verify that the path is correct and try again.
at line:1 char:1
+ whoami /all
+ ~~~~~~
+ categoryinfo : ObjectNotFound: (whoami:String) [], CommandNotFo
undException
+ fullyqualifiederrorid : CommandNotFoundExceptionDue to the fact that whoami.exe not available, I would have to improvise
$user = [system.security.principal.windowsidentity]::GetCurrent()
$principal = New-Object System.Security.Principal.WindowsPrincipal($user)
$isadmin = $principal.isinrole([system.security.principal.windowsbuiltinrole]::Administrator)
$groups = $user.Groups
write-output "user: $($user.Name)"
write-output "is an administrator: $isAdmin"
write-output "group membership:"
foreach ($group in $groups) {
Write-Output " $($group.Translate([System.Security.Principal.NTAccount]))"
}I will use this PowerShell script manually
ps c:\windows\system32> $user = [System.Security.Principal.WindowsIdentity]::GetCurrent()
ps c:\windows\system32> $principal = New-Object System.Security.Principal.WindowsPrincipal($user)
ps c:\windows\system32> $isAdmin = $principal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
ps c:\windows\system32> $groups = $user.Groups
ps c:\windows\system32> Write-Output "User: $($user.Name)"
user: NT AUTHORITY\SYSTEM
ps c:\windows\system32> Write-Output "Is an administrator: $isAdmin"
is an administrator: True
ps c:\windows\system32> foreach ($group in $groups) {Write-Output "$($group.Translate([System.Security.Principal.NTAccount]))"}
BUILTIN\Administrators
Everyone
NT AUTHORITY\Authenticated UsersSo the current user is indeed a machine account with administrative privileges.
At this point, I am the SYSTEM, but it would seem that there is more to gain.