Windows on edermi's Bloghttps://edermi.github.io/tags/windows/Recent content in Windows on edermi's BlogHugoen-usMon, 02 Mar 2026 21:55:17 +0100Abusing accounts that already changed their passwordhttps://edermi.github.io/post/2020/abusing_accounts_that_changed_passwords/Sun, 23 Feb 2020 00:00:00 +0000https://edermi.github.io/post/2020/abusing_accounts_that_changed_passwords/<p><em><strong>TL;DR</strong></em>: <em>In some circumstances, you may find usable Kerberos TGTs on a system you compromised - these allow you to impersonate a user that already changed its password (e.g. because the user got suspicious or a PAM solution is in place).</em></p> <h1 id="intro">Intro</h1> <p>On a recent project, I was tasked with the usual goal: Start from the ground and find a way to take over the company - in the end, if possible, somehow become Domain Admin. Getting started was tough, but after some time I got my hands on a few admin accounts and had a way to take control of the Domain Admins - but the way involved resetting the password of a service account. Unless I do not have a very good reason to perform the password change or the explicit &ldquo;Do it!&rdquo; from the customer, I prefer finding another way. Lurking for a few days on the machines I gained access so far, I discovered two accounts that logged on recently. They both provided a simpler way to become Domain Admin because they were allowed to write the Domain Admin group directly - Jackpot!</p>Passing the hash with native RDP client (mstsc.exe)https://edermi.github.io/post/2018/native_rdp_pass_the_hash/Sun, 06 May 2018 00:00:00 +0000https://edermi.github.io/post/2018/native_rdp_pass_the_hash/<p><em><strong>TL;DR:</strong> If the remote server allows Restricted Admin login, it is possible to login via RDP by passing the hash using the native Windows RDP client <code>mstsc.exe</code>. (You&rsquo;ll need mimikatz or something else to inject the hash into the process)</em></p> <p>On engagements it is usually only a matter of time to get your hands on NTLM hashes. These can usually be directly used to authenticate against other services / machines and enable lateral movement. Powershell / PSExec, SMB and WMI are usual targets to pass the hash to, but it is also possible to use it to establish a RDP session on a remote host. Searching the Internet on how to do this unfortunately always leads to <a href="https://www.kali.org/penetration-testing/passing-hash-remote-desktop/">using xfreerdp</a>, but I wasn&rsquo;t able to find anything on the Internet regarding how to do this directly using the provided RDP client <code>mstsc.exe</code>, so I had to find out on my own.</p>Windows 10 Installationsimage unter Linux auf USB Stick installierenhttps://edermi.github.io/post/2015/windows-10-auf-usb-unter-linux/Mon, 25 May 2015 00:00:00 +0000https://edermi.github.io/post/2015/windows-10-auf-usb-unter-linux/<p>Ich wollte mir mal Windows 10 außerhalb einer virtuellen Umgebung anschauen - mein Laptop hat leider kein DVD-Laufwerk, weswegen ich die Installation vom USB-Stick durchführen muss. Prinzipiell ist das meiner Meinung nach sowieso immer der way-to-go, da man den Stick wiederverwenden kann und alles sowieso schneller geht als von der DVD. Bei iso-Dateien von Linux-Distributionen hat bisher immer ein <code>dd</code> gereicht um die Images bootbar auf den USB-Stick zu verfrachten. Wie sich heraus stellt ist das bei Windows etwas mehr Arbeit, weswegen ich diesen Post schreibe falls andere ähnliche Probleme haben.</p>