Common Pitfalls

Windows Token Pitfalls (OSCP-Relevant)

Understanding why “this should work but doesn’t” usually comes down to tokens, logon types, and session reuse.

1. Group Membership ≠ Token Update (Logoff Required)

Symptom

• Added to a group
• Access still denied
• Privileges missing
• Local admin actions fail

Why

• Group membership is evaluated at logon
• Existing access token is not refreshed

Fix

• Log out and log back in or
• Start a new logon session (new RDP / WinRM / SMB)

Closing a shell is not enough if the logon session persists.

2. Network Logon vs Interactive Logon

Not all logons produce the same token.

Common OSCP Pitfall

• Added to Administrators
• Still denied when using PsExec or SMB

Why

• Network logon ≠ full interactive token

Fix

• RDP into the host
• Use WinRM / PowerShell Remoting
• Explicitly request interactive execution

3. UAC Filtering (Local Admin ≠ Elevated)

Symptom

• In Administrators
• whoami /groups shows admin
• Admin actions still fail

Why

• UAC creates:
  • Filtered token (default)
  • Elevated token (on approval)

Fix

• Spawn elevated shell
• RDP and “Run as administrator”
• Disable UAC (rare in OSCP)

OSCP Nuance

• Local admin ≠ SYSTEM
• Local admin ≠ domain admin

4. -Credential Bypasses Your Updated Token

Why It Matters
Using:
-Credential DOMAIN\user

• Creates a new logon session
• Uses supplied credentials
• Ignores your current token

If the credentials don’t reflect new group membership, privileges won’t apply.

Common Mistake

• Add yourself to a group
• Keep using -Credential
• Privileges appear “broken”

Rule

After modifying your own rights, stop using -Credential.

5. Kerberos Tickets Don’t Auto-Update

Symptom

• Group added
• Still denied access to:
  • CIFS
  • LDAP
  • WinRM
  • SQL

Why

• Kerberos tickets are issued at logon
• Group SIDs are cached

Fix

• Log out / log back in
• Or purge tickets:

klist purge

6. Impersonation Token ≠ Primary Token

Symptom

• Some actions work
• Others fail unexpectedly

Why

• Impersonation tokens:
  • Can access resources
  • Cannot spawn fully privileged processes

OSCP Angle

• JuicyPotato / PrintSpoofer may give SYSTEM
• But nested actions can fail if token isn’t primary

Always Ask

Am I SYSTEM, or just impersonating SYSTEM?

7. Local Admin on DC ≠ Domain Admin

Why

• Domain Controllers have no local accounts
• “Local admin” ≠ domain admin
• Many tools require DA explicitly

Symptom

• Admin rights on DC
• Cannot:
  • Modify domain objects
  • Perform DCSync

Fix

• Domain Admin or
• Explicit replication rights

8. Session Reuse (WinRM, PsExec, SMB)

Symptom

• Privilege escalation succeeded
• Same shell still lacks access

Why

• Sessions cache tokens:
  • WinRM keeps same token
  • SMB reuses auth session
  • PsExec reuses network token

*Fix

• Kill the session
• Reconnect fresh

New privilege → new session

9. Token Privileges vs Group Membership

Groups grant potential privileges.
Tokens expose actual privileges.
Check:

whoami /priv

Common OSCP Blockers

• SeBackupPrivilege present but disabled
• SeImpersonatePrivilege missing or inactive

Fix

• Proper logon type
• SYSTEM context
• Privilege-specific tooling

10. Domain vs Local Group Scope

Example

• Added to Administrators
• Works on one host only

Why

• Local group ≠ domain-wide
• Scope limited to:
  • One machine
  • One OU via GPO

Always Ask

Where does this group actually apply?

Mental Checklist (Exam Gold)

When something should work but doesn’t:
1. Did I log out and back in?
2. Is this an interactive token?
3. Am I bypassing my token with -Credential?
4. Is Kerberos caching involved?
5. Is UAC filtering me?
6. Is this impersonation or a primary token?
7. Does this group apply here?

One-Sentence OSCP Truth

Privilege escalation in AD is 50% permissions and 50% understanding Windows tokens.