nerdexam
EC-Council

312-50V13 · Question #169

Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil Corp's lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824- 861252104- 501. W

The correct answer is A. He must perform privilege escalation.. A Security Identifier (SID) ending in -501 denotes a guest account, requiring privilege escalation to achieve full administrator access.

Submitted by ashley.k· Mar 6, 2026System Hacking

Question

Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil Corp's lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824- 861252104- 501. What needs to happen before Matthew has full administrator access?

Options

  • AHe must perform privilege escalation.
  • BHe needs to disable antivirus protection.
  • CHe needs to gain physical access.
  • DHe already has admin privileges, as shown by the "501" at the end of the SID.

How the community answered

(23 responses)
  • A
    91% (21)
  • C
    4% (1)
  • D
    4% (1)

Why each option

A Security Identifier (SID) ending in -501 denotes a guest account, requiring privilege escalation to achieve full administrator access.

AHe must perform privilege escalation.Correct

A Windows Security Identifier (SID) ending with '-501' (e.g., S-1-5-21-Domain-501) represents the built-in Guest account, which possesses very limited privileges. To gain full administrator access, Matthew would need to perform a privilege escalation attack to transition from the compromised guest account to an account with higher, administrative-level privileges.

BHe needs to disable antivirus protection.

Disabling antivirus protection might be a subsequent step to facilitate further malicious activities or prevent detection, but it is not the action that grants an attacker administrator privileges.

CHe needs to gain physical access.

Matthew already has a meterpreter session, implying remote access and command execution. While physical access can be beneficial for some attacks, it is not the immediate next step for privilege escalation when a remote shell is already established.

DHe already has admin privileges, as shown by the "501" at the end of the SID.

A SID ending in '-501' specifically identifies the Guest account, which has minimal privileges. The local administrator account's SID typically ends with '-500', indicating that Matthew does not currently possess administrator privileges.

Concept tested: Windows SIDs and privilege escalation

Source: https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids

Topics

#Privilege escalation#Meterpreter#Post-exploitation#Windows security

Community Discussion

No community discussion yet for this question.

Full 312-50V13 Practice