Privileges
A privileged account (such as Administrator on Windows systems or Root on Linux systems) will allow users to access any file on the system and make any changes they need. The best practice is to always allow an account with a lower privilege (aka Least Privilege) and then grant additional access when required.
On a typical Windows server, there are different account types:
- Domain Administrators: This is typically the highest account level you will find in an enterprise along with Enterprise Administrators. An account with this level of privilege can manage all accounts of the organization, their access levels, and almost anything you can think of. A “domain” is a central registry used to manage all users and computers within the organization.
- Services: Accounts used by software to perform their tasks such as back-ups or antivirus scans.
- Domain users: Accounts typically used by employees. These should have just enough privileges to do their daily jobs. For example, a system administrator may restrict a user’s ability to install and uninstall software.
- Local accounts: These accounts are only valid on the local system and can not be used over the domain.
Accounts can be easily managed with groups. For example, an account can be created as a regular user and later added to the Domain Administrators group, giving it Domain Administrator privileges.
Initial Information Gathering
A few key points in enumeration are as follows:
- Users on the target system. The
net users
command will list users on the target system.
- OS version: The
systeminfo | findstr /B /C: "OS Name"/C: "OS Version"
command will output information about the operating system. This should be used to do further research on whether a privilege escalation vulnerability exists for this version.
- Installed services: the
wmic service list
command will list services installed on the target system
This exercise took ~30 min to complete, but definitely time well spent.