13. Reuse Administrator Credentials

Now that you’ve found plaintext credentials for the administrator user (d0m@in_c0ntr0ll3r), you can log in with full SYSTEM-level control.

🛠 Command to connect using WinRM:

evil-winrm -i 192.168.10.4 -u 'administrator' -p 'd0m@in_c0ntr0ll3r'

🔎 After login:

  • Run whoami → should return nt authority\system or megachange\administrator

  • Run hostname → confirms the machine name

⚠️ Important: You now have full domain control. Be careful not to alter or break anything unless that’s part of your objective.

This is usually the final step in an Active Directory privilege escalation path.

Previous12. Enumerate Local Privileges and AutoLogonNext14. Capture the User Flag

Last updated