Lab

first we try login with valid credential on rdp server

we success to login and we found file call pentest-open

now let’s change value of DisableRestrictedAdmin from 0 to 1

reg add HKLM\\System\\CurrentControlSet\\Control\\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

then let’s try sign in by this hash

we found flag