Jump to content

Gain Root Access on Any Windows Machine

The Sorrow

By The Sorrow
in Security

 Share

Recommended Posts

The Sorrow Newbie

The Sorrow

Posted
Posted

This process will grant the user SYSTEM level access and basically admin permissions.

1. open a command prompt and type in [at XX:XX(Put here the current time plus one minute in military time) /interactive "cmd.exe"]

For example if its 10 am you would enter [at 10:01 /interactive "cmd.exe"]

2. Press Ctrl + Alt + Del to bring up task manager and kill "explorer.exe"

3. At 10:01 a new command prompt will open in this new konsole type in [explorer]

4. Now you will notice that the windows default visual settings are now loaded and the user name on the start menu is now SYSTEM

This exploit can be used even on guest accounts on any windows 2000 or higher (Don't know bout Vista yet).

Have fun

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

2 things.

#1, that is really slick and could come in handy in the future. Thanks for the tip!

#2, it didn't work on my machine but I also know why.

In order for this to work, the "Task Scheduler" service has to be running, and I have it disabled by default. As soon as I started the service and ran your command it worked.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted
It got patched in XP SP2. Very old trick, probably covered elsewhere on the forum somewhere, I forget.

Works on my SP3, but I had to manually start the service, as I have it set to disabled.

I don't think this is a patch issue though, since services like that one run as system level anyway, if they are the one starting a process and the default user shell is gone(ie:cancel explorer.exe before the task spawns) then cmd becomes the new shell at system user level, and since its started by a system process, it spawns the system user when you run explorer.exe from the cmd window.

** You might even be able to

edit: Just tried it and this works as well, just skip cmd.exe and point it to explorer.exe instead, then kill explorere.exe after putting in the at command and wait for the desktop to respawn. This works even nicer, as it saved my wallpaper and custom theme. I'll have to try this now to see if that works as well. **

I noticed in Vista Task Scheduler can not be disabled, so this might work in Vista, but I don't think you can easily kill explorer.exe in vista like you can in XP. Don't have Vista installed on anything at the moment, so can't test that one though.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

Best to disable the task scheduler to begin with, as I always do on my personal machines anyway.

SP2+ requires you to have an admin account to begin with, thus negating the entire point. You can do it with an admin account but not with a fully patched machine and a limited account.

This is true, you can't run the "AT" command as a Guest or limited account. Just tried it on my machine and was denied access to the "AT" command.

But I know that at work, we have locked down machines and managed desktops and such that still allow us to run the "AT" command and Task Scheduler, because we use Task Scheduler all the time to launch certain jobs during the night. I use it reguarly for alerts on things I have to run at certain times of the night on the mainframe console.

We don't have full admin control over the machine though since we logon to a domain and only have certain functions we can perform on these machines. I can see that in a coporate environment where you may have little more than limited functions, but access to the "AT" command, this could be used (or abused) by anyone who knows about it to gain higher privledges on the machine, and then use it to add additional users or rights to other users.

Link to comment
Share on other sites
SomethingToChatWith Newbie

SomethingToChatWith

Posted
Posted

Ok, the at command can be used by a limited account even in XP SP2. Don't believe me? Type "at /?" at the command prompt. You should see the help output for at. Now while you cant actually "use" the at command beyond viewing the help this is an ovbious giveaway. The task scheduler service still runs under the SYSTEM account. With any luck what I'm thinking is MS only patched the at command itself. Even a limited user can create tasks using the GUI.

So what does this mean? I'm wondering if you can take a pre-sp2 XP version of the at command and use it? If MS only patched the at command stored on the local system whos to say you couldn't use an older version of at from say a flash drive...

And yes digip, you're right on there. The way anything involving proccesses in Windows works is that child proccesses always get the amount of system access the parent proccess (in this case at running as the system account) has.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted
Ok, the at command can be used by a limited account even in XP SP2. Don't believe me? Type "at /?" at the command prompt. You should see the help output for at. Now while you cant actually "use" the at command beyond viewing the help this is an ovbious giveaway. The task scheduler service still runs under the SYSTEM account. With any luck what I'm thinking is MS only patched the at command itself. Even a limited user can create tasks using the GUI.

So what does this mean? I'm wondering if you can take a pre-sp2 XP version of the at command and use it? If MS only patched the at command stored on the local system whos to say you couldn't use an older version of at from say a flash drive...

And yes digip, you're right on there. The way anything involving proccesses in Windows works is that child proccesses always get the amount of system access the parent proccess (in this case at running as the system account) has.

The AT command and the GUI do not work in a Gyest account. Havne't tried a limite duser account yet, but I assume they would need a group policy to grant them access to it, which is what we have at work on our domain logins, access to the at command.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted
Also, on a lot of machines I've used, which Ive wanted to root (school, work etc. Not maliciously, just curious) "Task Manager" has been disabled.

Thats a good point, but have you tried the command line versions?

TASKLIST and TASKKILL

Link to comment
Share on other sites
sablefoxx Newbie

sablefoxx

Posted
Posted

Old trick, to my knowledge it only works on XP Sp1, 2 and 3 Professional it may work on Home but i have not tested it. You must have administrative rights to do it. It's a far cry from "any Windows Machine," and i also wouldn't call it an exploit.

This does NOT work on Vista, or Win7 and it also does not work from XP guest accounts, i dont know what Sorrow is smoking.

A while ago I helped create a program to do this automatically, takes about 1-2 mins to complete, just run it and get SYSTEM, enjoy! Download SysHack

Also, on a lot of machines I've used, which Ive wanted to root (school, work etc. Not maliciously, just curious) "Task Manager" has been disabled.

You can generally use GPedit.msc, or a 3rd party registry editor to re-enable Task Manager/CMD if it's been disabled. (start>run>type "gpedit.msc")

Link to comment
Share on other sites
redxine Newbie

redxine

Posted
Posted

If you can get linux booted up on the machine and mount the hard drive, find C:\WINDOWS\System32\sethc.exe and rename it to something like sethc.exe.bak (just in case). Copy cmd.exe and rename the copy to sethc.exe. Reboot. At the login screen hit shift five times, and hear the joyous music and see the black box. Notice the SYSTEM username. Profit.

I use this all the time to reset "forgotten" passwords. > user Administrator *

Link to comment
Share on other sites
barry99705 Veteran

barry99705

Posted
Posted

I think the thread title should be changed to "Gain Admin access on just installed Windows systems with no updates installed". So far on the five machine's I've tried this on, none worked. The at command is disabled. Kon-Boot also doesn't work on them. Kon-Boot only works with local users. You need to know the name of a local user on the windows machine. Administrator is disabled on all my work machines, and my home systems. They boot to the user name and password screen, not the stupid ass click a picture and put in your password screen.

Link to comment
Share on other sites
SomethingToChatWith Newbie

SomethingToChatWith

Posted
Posted
I think the thread title should be changed to "Gain Admin access on just installed Windows systems with no updates installed". So far on the five machine's I've tried this on, none worked. The at command is disabled. Kon-Boot also doesn't work on them. Kon-Boot only works with local users. You need to know the name of a local user on the windows machine. Administrator is disabled on all my work machines, and my home systems. They boot to the user name and password screen, not the stupid ass click a picture and put in your password screen.

Umm, can you say net user? You don't need admin access to get the usernames for the computer and I doubt you've enabled don't display last username so who cares if its not the welcome screen? Your username is already filled in by default.

If you took the time to read through the thread you would have noticed patched XP machines and Vista safeguard against this escalation flaw in at by requring you to be admin to even use it.

Link to comment
Share on other sites
redxine Newbie

redxine

Posted
Posted
I think the thread title should be changed to "Gain Admin access on just installed Windows systems with no updates installed". So far on the five machine's I've tried this on, none worked. The at command is disabled. Kon-Boot also doesn't work on them. Kon-Boot only works with local users. You need to know the name of a local user on the windows machine. Administrator is disabled on all my work machines, and my home systems. They boot to the user name and password screen, not the stupid ass click a picture and put in your password screen.

The sethc.exe method I used has worked reguardless of the Administrator account being disabled. The access to the net command is key, and at the login screen's SYSTEM user account gives us that in a nice little package. 

net user Administrator /active:yes
net user Administrator *

You should give it a try.

EDIT: I was going to make a video demonstrating it, but virtualbox won't let me insert the 5 shifts for some reason. Any suggestions?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...