nerdexam
EC-Council

312-50V11 · Question #714

Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil Corp's lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824- 861252104-501. Wh

The correct answer is B. He must perform privilege escalation.. A Windows SID ending in 501 identifies the built-in Guest account, not an administrator. Matthew must escalate privileges to gain admin access.

System Hacking

Question

Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil Corp's lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824- 861252104-501. What needs to happen before Matthew has full administrator access?

Options

  • AHe needs to gain physical access.
  • BHe must perform privilege escalation.
  • CHe already has admin privileges, as shown by the "501" at the end of the SID.
  • DHe needs to disable antivirus protection.

How the community answered

(28 responses)
  • A
    4% (1)
  • B
    71% (20)
  • C
    14% (4)
  • D
    11% (3)

Why each option

A Windows SID ending in 501 identifies the built-in Guest account, not an administrator. Matthew must escalate privileges to gain admin access.

AHe needs to gain physical access.

Physical access to the machine is irrelevant because Matthew already has a remote Meterpreter session established.

BHe must perform privilege escalation.Correct

The Relative Identifier (RID) at the end of a Windows SID determines the account type: RID 500 is the built-in Administrator, and RID 501 is the built-in Guest account. Because Matthew's SID ends in 501, he is operating as a low-privileged Guest. He must perform privilege escalation - such as exploiting a local vulnerability or token impersonation via Meterpreter's 'getsystem' - to obtain SYSTEM or Administrator-level access.

CHe already has admin privileges, as shown by the "501" at the end of the SID.

RID 501 identifies the built-in Guest account, which has minimal privileges; RID 500 is the built-in Administrator account.

DHe needs to disable antivirus protection.

Disabling antivirus may help avoid detection but does not grant elevated OS privileges.

Concept tested: Windows SID RID values and privilege escalation

Source: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers

Topics

#privilege escalation#Windows SID#meterpreter#post-exploitation

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice