InfoSec LAB

Rebound_User_Privileges_winrm_svc

Created: 2 min read

winrm_svc

Checking for user privileges of the winrm_svc user after performing basic enumeration

*evil-winrm* ps c:\Users\winrm_svc\Documents> whoami /all
 
USER INFORMATION
----------------
 
User Name         SID
================= ==============================================
rebound\winrm_svc S-1-5-21-4078382237-1492182817-2568127209-7684
 
 
GROUP INFORMATION
-----------------
 
Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448
 
 
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
 
 
USER CLAIMS INFORMATION
-----------------------
 
User claims unknown.
 
Kerberos support for Dynamic Access Control on this device has been disabled.

The winrm_svc account is part of the NT AUTHORITY\NETWORK group The user also has the SeMachineAccountPrivilege access, which is set by default in an Active Directory environment

  • While this could potentially abused for the noPAC exploit, it is unlikely due to the machine being up to date

msDS-MachineAccountQuota

*Evil-WinRM* PS C:\Users\winrm_svc\Documents> Get-ADObject -Identity (Get-ADDomain).DistinguishedName -Properties ms-DS-MachineAccountQuota
 
ms-ds-machineaccountquota
-------------------------
                        0

The ms-DS-MachineAccountQuota attribute is set to 0

Interactive Graph View

Backlinks