When we obtain administrator credentials in a Windows environment, it’s very common to check if we get the classic Pwn3d! from CrackMapExec to verify whether we can execute commands and obtain a shell.
Post I recommend reading:
However, it can happen that we have administrator credentials but don’t have the ability to execute commands. This can be due to LocalAccountTokenFilterPolicy.
Example:
The user “sikumy” is in the “Administrators” group, but:
We don’t get the famous Pwn3d!, therefore, we cannot execute commands.
So, what is LocalAccountTokenFilterPolicy and how does it affect us?
Simply put, LocalAccountTokenFilterPolicy is a filter that prevents elevated privileges from being used over the network. This only applies to local administrative accounts, it doesn’t affect domain accounts. Because of this restriction, we cannot make use of the account’s privileges over the network, and therefore, obtain the Pwn3d! and execute commands.
To disable LocalAccountTokenFilterPolicy, we need to modify the following registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
Specifically, the value named “LocalAccountTokenFilterPolicy”. If that registry is 0, it means it’s enabled, if it’s 1, the opposite. We want it to be 1. We can change its value using the following command:
cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
Now, if we go back to CrackMapExec:
We get the Pwn3d!, thanks to having disabled this restriction. So now we can execute commands and do whatever we want.