312-50V13 · Question #169
Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil Corp's lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824- 861252104- 501. W
The correct answer is A. He must perform privilege escalation.. A Security Identifier (SID) ending in -501 denotes a guest account, requiring privilege escalation to achieve full administrator access.
Question
Options
- AHe must perform privilege escalation.
- BHe needs to disable antivirus protection.
- CHe needs to gain physical access.
- DHe already has admin privileges, as shown by the "501" at the end of the SID.
How the community answered
(23 responses)- A91% (21)
- C4% (1)
- D4% (1)
Why each option
A Security Identifier (SID) ending in -501 denotes a guest account, requiring privilege escalation to achieve full administrator access.
A Windows Security Identifier (SID) ending with '-501' (e.g., S-1-5-21-Domain-501) represents the built-in Guest account, which possesses very limited privileges. To gain full administrator access, Matthew would need to perform a privilege escalation attack to transition from the compromised guest account to an account with higher, administrative-level privileges.
Disabling antivirus protection might be a subsequent step to facilitate further malicious activities or prevent detection, but it is not the action that grants an attacker administrator privileges.
Matthew already has a meterpreter session, implying remote access and command execution. While physical access can be beneficial for some attacks, it is not the immediate next step for privilege escalation when a remote shell is already established.
A SID ending in '-501' specifically identifies the Guest account, which has minimal privileges. The local administrator account's SID typically ends with '-500', indicating that Matthew does not currently possess administrator privileges.
Concept tested: Windows SIDs and privilege escalation
Source: https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids
Topics
Community Discussion
No community discussion yet for this question.