Active Directory LDAP - Skills Assessment

Hello,

Currently I am stuck at the last question of the AD LDAP skills assessment:
“What non-default privilege does the htb-student user have?”

Whoami /priv just gives me two standard privileges which are not what we are looking for in this case.
As I understood so far, there is no straightforward way to enumerate all privileges assigned to one domain user using Powershell cmdlets, such as Powerview.
Sysinternal’s AccessChk.exe also provides no help, since Admin rights are needed for privilege listing.
Also Bloodhound did not find any interesting privilege…

Can somebody enlighten me on this question?
Many thanks!

1 Like

I was able to figure it out:

The correct command is indeed whoami /priv. However, this has to be run from an elevated shell.
Opening a cmd shell with Admin privileges does not work on that machine most of the time. I had to re-start two times and then I was finally able to retrieve the extended privilege set.

2 Likes

I’m stuck here too, how did you elevate your privileges with this htb-student user account? it doesn’t have permission to start an elevated command prompt. Thanks

1 Like

Please see my comment above. Restart the target one or more times, then you can open the Admin Shell as HTB-Student.

1 Like

Thank you! My first try didn’t work, but the second try worked. it was weird. I had to restart two times

1 Like

Same here! Restarted the box and I could open PowerShell as admin and BOOM.

I tried to PrivEsc,but this box is locked down pretty good.

If anybody could escalate to admin privs, please let me know!

I think it is kind of weird that htb-user is allowed to open PowerShell as admin when
it is not a local admin!

John

Christ on a crutch! I spent so much time before reading this… Thank you! I was loosing my mind.

You don’t need an escalated PowerShell. There’s a reason why there’s a file on the desktop. It will help determine the extra privilege.

I’m stuck here, Ive restarted the box several times, open PowerShall as admin. enter password, whoami /priv but dont see any other privileges.

Where am i going wrong?

I also tried as another use using the creds on the desktop, but this wouldnt work.

Any pointers? Thank you