spotless
session - this requires knowing the user's password, which for this exercise is known, so lets enter it:spotless
session:SYSTEM
level privileges on the system.
Let's elevate to SYSTEM
using psexec (privilege escalation exploits, service creation or any other technique will also do):query user
:spotless
session without getting requested for a password by using the native windows binary tscon.exe
that enables users to connect to other desktop sessions by specifying which session ID (2
in this case for the spotless
session) should be connected to which session (console
in this case, where the active administator
session originates from):spotless
:tscon.exe
being executed as a SYSTEM
user is something you may want to investigate further to make sure this is not a lateral movement attempt:event_data.LogonID
and event_ids 4778
(logon) and 4779
(logoff) events can be used to figure out which desktop sessions got disconnected/reconnected: