312-50V13 Question #169: Real Exam Question with Answer & Explanation

Question

Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil Corp's lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824- 861252104- 501. What needs to happen before Matthew has full administrator access?

Options

• AHe must perform privilege escalation.
• BHe needs to disable antivirus protection.
• CHe needs to gain physical access.
• DHe already has admin privileges, as shown by the "501" at the end of the SID.

Explanation

A Security Identifier (SID) ending in -501 denotes a guest account, requiring privilege escalation to achieve full administrator access.

Common mistakes.

• B. Disabling antivirus protection might be a subsequent step to facilitate further malicious activities or prevent detection, but it is not the action that grants an attacker administrator privileges.
• C. Matthew already has a meterpreter session, implying remote access and command execution. While physical access can be beneficial for some attacks, it is not the immediate next step for privilege escalation when a remote shell is already established.
• D. A SID ending in '-501' specifically identifies the Guest account, which has minimal privileges. The local administrator account's SID typically ends with '-500', indicating that Matthew does not currently possess administrator privileges.

Concept tested. Windows SIDs and privilege escalation

Reference. https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids

No community discussion yet for this question.