molly.smith
Checking for privileges of the molly.smith user after performing a manual system enumeration
PS C:\Users\molly.smith> whoami /ALL
USER INFORMATION
----------------
User Name SID
================= =============================================
haero\molly.smith S-1-5-21-3227296914-974780204-1325941497-1107
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators Alias S-1-5-32-549 Group used for deny only
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
HAERO\Tier1-Admins Group S-1-5-21-3227296914-974780204-1325941497-1141 Mandatory group, Enabled by default, Enabled group
HAERO\it Group S-1-5-21-3227296914-974780204-1325941497-1105 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
HAERO\WSUS Administrators Alias S-1-5-21-3227296914-974780204-1325941497-1103 Mandatory group, Enabled by default, Enabled group, Local Group
HAERO\WSUS Reporters Alias S-1-5-21-3227296914-974780204-1325941497-1104 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.The molly.smith user is part of the following groups due to the membership to the tier1-admins group;
wsus reporterswsus administratorsserver operators- `remote desktop users
As Administrator
/Practice/Hokkaido/4-Post_Enumeration/attachments/{BEDBFFBA-BBF5-491A-A9A2-596F3057919C}.png)
/Practice/Hokkaido/4-Post_Enumeration/attachments/{CD3C664F-2B06-48DB-9D93-41FE7A12BC53}.png)
This is possible likely due to the molly.smith being part of the tier1-admins group
/Practice/Hokkaido/4-Post_Enumeration/attachments/{210B4918-56CA-426F-9787-274CA7472EC2}.png)
The whoami /ALL command now shows more privileges than the [[#molly.smith|other attempt above], including:
- SeMachineAccountPrivilege
- SeBackupPrivilege and SeRestorePrivilege likely from being part of Server Operators
- SeShutdownPrivilege
- SeRemoteShutdownPrivilege Moving on to the Privilege Escalation phase
FindDomainShare
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ KRB5CCNAME=molly.smith@dc.hokkaido-aerospace.com.ccache FindDomainShare HOKKAIDO-AEROSPACE.COM/molly.smith@dc.hokkaido-aerospace.com -k -no-pass -dc-ip $IP -dc-host dc.hokkaido-aerospace.com -check-access -check-admin
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Starting domain share enumeration at 2025-04-25 22:02:11
[*] Connecting to LDAP at dc.hokkaido-aerospace.com
[*] LDAPS connection successful
[*] Found 2 computers in the domain
[*] No accessible shares found on LANSWEEPER
[*] Admin access confirmed on dc.hokkaido-aerospace.com
[*] Found 9 shares on dc.hokkaido-aerospace.com
[*] Enumeration completed in 0:00:03.590670. Found 9 shares.
Found 9 shares:
----------------------------------------------------------------------------------------------------
Computer Share Type Admin Read Write OS Remark
----------------------------------------------------------------------------------------------------
dc.hokkaido-aerospace.com ADMIN$ Unknown (Hidden) Yes Yes No Windows Server 2022 Remote Admin
dc.hokkaido-aerospace.com C$ Unknown (Hidden) Yes Yes No Windows Server 2022 Default share
dc.hokkaido-aerospace.com homes Unknown Yes Yes Yes Windows Server 2022 user homes
dc.hokkaido-aerospace.com IPC$ Disk (Hidden) Yes Yes No Windows Server 2022 Remote IPC
dc.hokkaido-aerospace.com NETLOGON Unknown Yes Yes No Windows Server 2022 Logon server share
dc.hokkaido-aerospace.com SYSVOL Unknown Yes Yes No Windows Server 2022 Logon server share
dc.hokkaido-aerospace.com UpdateServicesP Unknown Yes Yes Yes Windows Server 2022 A network share to be used
dc.hokkaido-aerospace.com WsusContent Unknown Yes Yes Yes Windows Server 2022 A network share to be used
dc.hokkaido-aerospace.com WSUSTemp Unknown Yes Yes Yes Windows Server 2022 A network share used by Loadmin