Whoami
  • Welcome
  • Home Lab: C2 Detection, Ransomware Defense & YARA Automation
    • SOC Lab – What is this Lab about ?
    • Part 1 - Setting Up the Environment
    • Part 2 - Detecting C2 Activity
    • Part 3 - Credential Dumping & Threat Detection
    • Part 4 - Blocking Ransomware
    • Part 5 - Reducing False Positives
    • Part 6 - Automated YARA Scanning
  • Automation Lab - Home Project
    • Sysmon Installation
    • Wazuh & TheHive: Installation, Configuration, and Optimization
    • Tracking Mimikatz Activity with Wazuh & Sysmon Logs
    • End-to-End Alert Automation: Wazuh → Shuffle → TheHive
  • Active Directory Attack Lab: Recon-to-Root
    • Reconnaissance Phase
      • 1. Full TCP Port Scan on Target Host
      • 2. Service and Version Detection
      • 3. Null Session SMB Enumeration
      • 4. LDAP Anonymous Bind Check
      • 5. Kerberos Username Enumeration
      • 6. Password Brute Force via SMB Login
    • Exploitation Phase
      • 7. Dump Domain Information via LDAP
      • 8. Perform Remote AD Recon with BloodHound
      • 9. Set Up Neo4j and Launch BloodHound GUI
      • 10. Abuse ForceChangePassword Right via RPC
      • 11. Validate New Credentials via WinRM
      • 12. Enumerate Local Privileges and AutoLogon
      • 13. Reuse Administrator Credentials
      • 14. Capture the User Flag
  • QRadar101 Lab Challenge
    • Scenario and Instructions
    • The Walkthrough
Powered by GitBook
On this page
  1. Active Directory Attack Lab: Recon-to-Root
  2. Exploitation Phase

13. Reuse Administrator Credentials

Previous12. Enumerate Local Privileges and AutoLogonNext14. Capture the User Flag

Last updated 24 days ago

Now that you’ve found plaintext credentials for the administrator user (d0m@in_c0ntr0ll3r), you can log in with full SYSTEM-level control.

🛠 Command to connect using WinRM:

evil-winrm -i 192.168.10.4 -u 'administrator' -p 'd0m@in_c0ntr0ll3r'

🔎 After login:

  • Run whoami → should return nt authority\system or megachange\administrator

  • Run hostname → confirms the machine name

⚠️ Important: You now have full domain control. Be careful not to alter or break anything unless that’s part of your objective.

This is usually the final step in an Active Directory privilege escalation path.