InfoSec LAB

Worker_User_Privileges_robisl

Created: 3 min read

robisl

Checking for user privileges of the robisl user after making the lateral movement

*evil-winrm* ps c:\Users\robisl\Documents> whoami /ALL
 
USER INFORMATION
----------------
 
User Name     SID
============= ==============================================
worker\robisl S-1-5-21-3082756831-2119193761-3468718151-1330
 
 
GROUP INFORMATION
-----------------
 
Group Name                             Type             SID                                            Attributes
====================================== ================ ============================================== ==================================================
Everyone                               Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
WORKER\Production                      Alias            S-1-5-21-3082756831-2119193761-3468718151-1018 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users        Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                   Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192
 
 
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                Description                    State
============================= ============================== =======
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

The robisl user is part of the Production group

Production Group

*Evil-WinRM* PS C:\Users\robisl\Documents> Get-LocalGroupMember -Group Production
 
ObjectClass Name           PrincipalSource
----------- ----           ---------------
User        WORKER\abrall  Local          
User        WORKER\adaama  Local          
User        WORKER\aidang  Local          
User        WORKER\alearb  Local          
User        WORKER\andbal1 Local          
User        WORKER\antbar  Local          
User        WORKER\aribar2 Local          
User        WORKER\armbar  Local          
User        WORKER\audbec  Local          
User        WORKER\autbel  Local          
User        WORKER\becbet  Local          
User        WORKER\bevbig  Local          
User        WORKER\biabil  Local          
User        WORKER\brobon  Local          
User        WORKER\cambra  Local          
User        WORKER\carbri3 Local          
User        WORKER\carbri4 Local          
User        WORKER\chabro  Local          
User        WORKER\chabuc  Local          
User        WORKER\chebuc1 Local          
User        WORKER\chebuc2 Local          
User        WORKER\coucad  Local          
User        WORKER\daical  Local          
User        WORKER\dakcar  Local          
User        WORKER\damcar  Local          
User        WORKER\darcha  Local          
User        WORKER\dawcha  Local          
User        WORKER\devche1 Local          
User        WORKER\drechi  Local          
User        WORKER\dulchu  Local          
User        WORKER\eglcla  Local          
User        WORKER\elicli1 Local          
User        WORKER\emicoc  Local          
User        WORKER\emlcof  Local          
User        WORKER\estcol  Local          
User        WORKER\faicon  Local          
User        WORKER\gabcor  Local          
User        WORKER\gavcor  Local          
User        WORKER\hancro1 Local          
User        WORKER\harcul  Local          
User        WORKER\haycum  Local          
User        WORKER\heacup  Local          
User        WORKER\holdal  Local          
User        WORKER\hopdar  Local          
User        WORKER\jendun  Local          
User        WORKER\jerdup  Local          
User        WORKER\jesdut  Local          
User        WORKER\karfal  Local          
User        WORKER\keifle  Local          
User        WORKER\kelfoo  Local          
User        WORKER\kelfor1 Local          
User        WORKER\liagra  Local          
User        WORKER\machad  Local          
User        WORKER\maehal  Local          
User        WORKER\makham1 Local          
User        WORKER\malham  Local          
User        WORKER\marhar1 Local          
User        WORKER\melhas  Local          
User        WORKER\morhav  Local          
User        WORKER\nathen  Local          
User        WORKER\paihol  Local          
User        WORKER\phihou  Local          
User        WORKER\rebhyd  Local          
User        WORKER\reeinc  Local          
User        WORKER\robish  Local          
User        WORKER\robisl  Local          
User        WORKER\tanlin  Local          
User        WORKER\theliv  Local          
User        WORKER\trimea  Local          
User        WORKER\waymor  Local          
User        WORKER\vicmof  Local          
User        WORKER\vicmon  Local

Not much could be enumerated other than the fact the Production group contains so many users

Interactive Graph View

Backlinks