nerdexam
EC-Council

312-50V10 · Question #714

Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil Corp's lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824- 861252104-501. Wh

The correct answer is B. He must perform privilege escalation.. This question tests knowledge of Windows Security Identifier (SID) structure, specifically how the Relative Identifier (RID) suffix indicates account privileges.

System Hacking

Question

Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil Corp's lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824- 861252104-501. What needs to happen before Matthew has full administrator access?

Options

  • AHe needs to gain physical access.
  • BHe must perform privilege escalation.
  • CHe already has admin privileges, as shown by the "501" at the end of the SID.
  • DHe needs to disable antivirus protection.

How the community answered

(17 responses)
  • A
    12% (2)
  • B
    65% (11)
  • C
    18% (3)
  • D
    6% (1)

Why each option

This question tests knowledge of Windows Security Identifier (SID) structure, specifically how the Relative Identifier (RID) suffix indicates account privileges.

AHe needs to gain physical access.

Matthew already has remote code execution via the Meterpreter session, so physical access is not a prerequisite and would not by itself grant higher operating system privileges.

BHe must perform privilege escalation.Correct

In Windows, the final component of a SID is the Relative Identifier (RID). RID 500 is the built-in Administrator account and RID 501 is the built-in Guest account, which has severely limited privileges by default. Since Matthew's SID ends in 501, he is operating as a Guest - a low-privilege account - and must perform privilege escalation to gain Administrator or SYSTEM-level access needed for full control of the machine.

CHe already has admin privileges, as shown by the "501" at the end of the SID.

RID 501 specifically identifies the Guest account, not an administrator - the built-in Administrator account carries RID 500, making this statement factually incorrect.

DHe needs to disable antivirus protection.

Disabling antivirus may help avoid detection but is not a required prerequisite to privilege escalation and does not itself grant elevated access rights.

Concept tested: Windows SID structure and RID-based privilege identification

Source: https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers

Topics

#privilege escalation#Windows SID#Meterpreter#access control

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice