Access file owned by BUILTIN\Administrators


As part of a challenge, I need to access a file which is owned by BUILTIN\Administrators on a DC. I mounted the C$ share from another workstation, with the domain account I have, unfortunately I receive access denied when I attempt to access the file.

X:\Users\Administrator\FOLDER>dir /Q  03/15/2018  06:46 AM    <DIR>          BUILTIN\Administrators . 03/15/2018  06:46 AM    <DIR>          BUILTIN\Administrators .. 04/15/2018  05:09 PM               126 BUILTIN\Administrators FILE 

On the workstation I have access via ps I added my user to the local admin group of the DC:

$  group = [ADSI]("WinNT://<IP>/administrators,group") $  group.add("WinNT://<DOMAIN>/<USER>,user") 

Checking on rpcclient:

rpcclient $  > enumalsgroups builtin ... group:[Administrators] rid:[0x220] ... rpcclient $  > queryaliasmem builtin 0x220     sid:[S-1-5-21-779333104-4060554207-35427279-500]     sid:[S-1-5-21-779333104-4060554207-35427279-519]     sid:[S-1-5-21-779333104-4060554207-35427279-512]     sid:[S-1-5-21-779333104-4060554207-35427279-2605]  rpcclient $  > lookupsids S-1-5-21-779333104-4060554207-35427279-2605 S-1-5-21-779333104-4060554207-35427279-2605 <DOMAIN>\<USER> (1) 

also using smbclient:

smbclient //<IP>/c$   -U <USER> Enter WORKGROUP\<USER>'s password:  Try "help" to get a list of possible commands. smb: \> cd Users\Administrator\FOLDER\ smb: \Users\Administrator\FOLDER\> get FILE NT_STATUS_ACCESS_DENIED opening remote file \Users\Administrator\FOLDER\FILE 

I also created a local user but nothing changes. icacls and cacls returns “Access is denied.” any suggestion?

KR dk