Active Directory LDAP - Skills Assessment

Rapunzel3000 · October 16, 2022, 11:52am

Hello,

Currently I am stuck at the last question of the AD LDAP skills assessment:
“What non-default privilege does the htb-student user have?”

Whoami /priv just gives me two standard privileges which are not what we are looking for in this case.
As I understood so far, there is no straightforward way to enumerate all privileges assigned to one domain user using Powershell cmdlets, such as Powerview.
Sysinternal’s AccessChk.exe also provides no help, since Admin rights are needed for privilege listing.
Also Bloodhound did not find any interesting privilege…

Can somebody enlighten me on this question?
Many thanks!

Rapunzel3000 · November 2, 2022, 10:36pm

I was able to figure it out:

The correct command is indeed whoami /priv. However, this has to be run from an elevated shell.
Opening a cmd shell with Admin privileges does not work on that machine most of the time. I had to re-start two times and then I was finally able to retrieve the extended privilege set.

tahagoksoy · November 11, 2022, 12:50pm

I’m stuck here too, how did you elevate your privileges with this htb-student user account? it doesn’t have permission to start an elevated command prompt. Thanks

Rapunzel3000 · November 11, 2022, 11:21pm

Please see my comment above. Restart the target one or more times, then you can open the Admin Shell as HTB-Student.

tahagoksoy · November 12, 2022, 12:08am

Thank you! My first try didn’t work, but the second try worked. it was weird. I had to restart two times

19delta4u · January 7, 2023, 5:28am

Same here! Restarted the box and I could open PowerShell as admin and BOOM.

I tried to PrivEsc,but this box is locked down pretty good.

If anybody could escalate to admin privs, please let me know!

I think it is kind of weird that htb-user is allowed to open PowerShell as admin when
it is not a local admin!

John

CrazyHorse302 · April 23, 2023, 6:41am

Christ on a crutch! I spent so much time before reading this… Thank you! I was loosing my mind.

Wolfiej · June 24, 2023, 4:38pm

You don’t need an escalated PowerShell. There’s a reason why there’s a file on the desktop. It will help determine the extra privilege.

gary.copland · November 3, 2023, 12:16pm

I’m stuck here, Ive restarted the box several times, open PowerShall as admin. enter password, whoami /priv but dont see any other privileges.

Where am i going wrong?

I also tried as another use using the creds on the desktop, but this wouldnt work.

Any pointers? Thank you

SkunkDitchRaid · May 21, 2024, 2:06am

This platform is really starting to get on my nerves with this junk.

v0idwalker · November 4, 2024, 8:25pm

Hi guys,

I found that there’s no need to restart the box until it’s possible to open an elevated shell.
Simply open powershell, import powerview and run
(Get-DomainPolicy).PrivilegeRights

should do the trick

Topic		Replies	Views
HTB Academy Windows Privilege Escalation Skills Assessment Off-topic	9	2286	July 19, 2024
Windows Privilege Escalation Skill Assessment - LDAPadmin Academy privilege-escalation , windows , academy , htb-academy	2	1551	June 9, 2022
Windows Privilege Escalation Skills Assessment - Part I (privesc) no shell Academy	0	298	December 2, 2023
Windows Privesc Module - No privileges assign Academy academy	0	51	October 1, 2024
HTB Academy > Windows Privilege Escalation > DnsAdmins Academy htb-academy	5	959	February 4, 2024

Active Directory LDAP - Skills Assessment

Related topics