InfoSec LAB

Heist_OffSec_User_Privileges_svc_apache$

Created: 2 min read

svc_apache$

Checking for privileges of the compromised enox user after making a lateral movement on the dc01.heist.offsec(192.168.198.165) host.

*Evil-WinRM* PS C:\Users\svc_apache$\Documents> whoami /all
 
USER INFORMATION
----------------
 
User Name         SID
================= ============================================
heist\svc_apache$ S-1-5-21-537427935-490066102-1511301751-1105
 
 
GROUP INFORMATION
-----------------
 
Group Name                                 Type             SID                                         Attributes
========================================== ================ =========================================== ==================================================
HEIST\Domain Computers                     Group            S-1-5-21-537427935-490066102-1511301751-515 Mandatory group, Enabled by default, Enabled group
Everyone                                   Well-known group S-1-1-0                                     Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                    Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288
 
 
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
 
 
USER CLAIMS INFORMATION
-----------------------
 
User claims unknown.
 
Kerberos support for Dynamic Access Control on this device has been disabled.

The svc_apache$ account has SeRestorePrivilege access ENABLED.

SeRestorePrivilege means privileged write access. Moving on to the Privilege Escalation phase.

Interactive Graph View

Backlinks