Jump to content

Gain Root Access on Any Windows Machine

The Sorrow

By The Sorrow
in Security

 Share

Recommended Posts

barry99705 Veteran

barry99705

Posted
Posted
Umm, can you say net user? You don't need admin access to get the usernames for the computer and I doubt you've enabled don't display last username so who cares if its not the welcome screen? Your username is already filled in by default.

If you took the time to read through the thread you would have noticed patched XP machines and Vista safeguard against this escalation flaw in at by requring you to be admin to even use it.

Okay, so how the hell do you get a user name of a non-logged in machine? Say you walk up to it at a starbucks or whatever. I have read through the thread, which is why I said the title should be renamed. None of these methods work if the machine has been updated, or if they have the local administrator user disabled. Also the used name isn't already filled out.

Link to comment
Share on other sites
redxine Newbie

redxine

Posted
Posted
Okay, so how the hell do you get a user name of a non-logged in machine? Say you walk up to it at a starbucks or whatever. I have read through the thread, which is why I said the title should be renamed. None of these methods work if the machine has been updated, or if they have the local administrator user disabled. Also the used name isn't already filled out.

Judging by your avatar, I'd say you're a Unix guy (Although I could be wrong). From what you're saying you are suggesting that there is no user called Administrator on any of the machines you see. That's like saying there's no root on any of your machines, updated or not. Updates may take care of kernel things/vulnerabilities like konboot, but the SYSTEM user is still there, and has no intention of going away. Here's how it works:

The login page is basically an executable, one that has to be run by a user that can startup really important things, and can't rely on dynamic[?] users, kinda like the nobody account on *nix systems, but with much, much more power. In this case, the login program uses the SYSTEM account to do it's dirty work, an account that can control EVERYTHING on the local system - like the kernel - and can never be told "no" by a higher power. After the machine is logged in, it hands over control to whatever user was selected. In my attack, I use this power against itself. When you hit shift 5 times to startup sticky keys at the login page, it ends up being run by the SYSTEM user. By replacing the sticky key executable (sethc.exe) with cmd.exe, one can boost the privileges through the SYSTEM account, ergo you have full root access to the machine. You can then use it with the net user command to unlock and change the Administrator password, then login using the newly changed credentials.

So at your starbucks machine, you'd throw in your handy dandy flash drive with your favorite *nix distro on it, restart the machine and get to at least a bash prompt. You casually type "mkdir /media/disk/ ; mount.ntfs /dev/sda /media/disk/" to mount the hard drive. Then you "cd /media/disk/WINDOWS/System32/" and "rename sethc.exe sethc.exe.bak" then "cp cmd.exe sethc.exe", "unmount /media/disk/", "init 6"/"reboot"/"shutdown 6" and take a long sip of your mocha while windows loads. Hit shift five times and cough to cover up the "Bring---" sound, and quickly type "net user Administrator *", and if nessicary "net user Administrator /active:yes", close the window and login as Administrator, then rain down your coffiey doom upon the machine.

Link to comment
Share on other sites
SomethingToChatWith Newbie

SomethingToChatWith

Posted
Posted
Okay, so how the hell do you get a user name of a non-logged in machine?.

Simple, most places dont have dont display last username enabled, so a user account is already filled in for me. All I need to do is get in under a limitied user to use net user to get the information I need. Once i've discovered an account with admin access that isnt disabled, reboot real quick with kon-boot and get in.

Link to comment
Share on other sites
barry99705 Veteran

barry99705

Posted
Posted
Judging by your avatar, I'd say you're a Unix guy (Although I could be wrong). From what you're saying you are suggesting that there is no user called Administrator on any of the machines you see. That's like saying there's no root on any of your machines, updated or not. Updates may take care of kernel things/vulnerabilities like konboot, but the SYSTEM user is still there, and has no intention of going away. Here's how it works:

The login page is basically an executable, one that has to be run by a user that can startup really important things, and can't rely on dynamic[?] users, kinda like the nobody account on *nix systems, but with much, much more power. In this case, the login program uses the SYSTEM account to do it's dirty work, an account that can control EVERYTHING on the local system - like the kernel - and can never be told "no" by a higher power. After the machine is logged in, it hands over control to whatever user was selected. In my attack, I use this power against itself. When you hit shift 5 times to startup sticky keys at the login page, it ends up being run by the SYSTEM user. By replacing the sticky key executable (sethc.exe) with cmd.exe, one can boost the privileges through the SYSTEM account, ergo you have full root access to the machine. You can then use it with the net user command to unlock and change the Administrator password, then login using the newly changed credentials.

So at your starbucks machine, you'd throw in your handy dandy flash drive with your favorite *nix distro on it, restart the machine and get to at least a bash prompt. You casually type "mkdir /media/disk/ ; mount.ntfs /dev/sda /media/disk/" to mount the hard drive. Then you "cd /media/disk/WINDOWS/System32/" and "rename sethc.exe sethc.exe.bak" then "cp cmd.exe sethc.exe", "unmount /media/disk/", "init 6"/"reboot"/"shutdown 6" and take a long sip of your mocha while windows loads. Hit shift five times and cough to cover up the "Bring---" sound, and quickly type "net user Administrator *", and if nessicary "net user Administrator /active:yes", close the window and login as Administrator, then rain down your coffiey doom upon the machine.

Sombitch!! That worked way too easy!

Link to comment
Share on other sites
redxine Newbie

redxine

Posted
Posted
Sombitch!! That worked way too easy!

That's the idea. Scenario:

Noob: Damnit! I hate not having Administrative privledges on this machine, all because of that flashdrive scare from china. Now I can't even use my wireless.

You: Allow me to be of assistance!

(Inserts thumbdrive, types furiously, and reboots. Types some more, bring-noise is heard, continues typing)

The password is 'noobsauce'. Have fun.

Link to comment
Share on other sites
barry99705 Veteran

barry99705

Posted
Posted
That's the idea. Scenario:

Noob: Damnit! I hate not having Administrative privledges on this machine, all because of that flashdrive scare from china. Now I can't even use my wireless.

You: Allow me to be of assistance!

(Inserts thumbdrive, types furiously, and reboots. Types some more, bring-noise is heard, continues typing)

The password is 'noobsauce'. Have fun.

I only worry about my machines, and I'm a domain admin. No problems with passwords.... :D

Link to comment
Share on other sites
  • 3 weeks later...
digip Newbie

digip

Posted
Posted

Well, I had a real world practical use of this trick yesterday. I was fixing a computer for someone, when I ran into some issues. In XP Home edition, you don't have access to other users files and can't set ownership like you can in XP Pro. Trying to view another persons documents is blocked. On top of that, I was installing some firewall and anti-virus software, which worked fine on the main acocunt I installed it on, but when you would then login as another user, the firewall would crash under the other user accounts and then you couldn't run any programs, getting an error "can not find the path or file".

So then I tried installing it under each user. That didn't work, because it said I didn't have rights to access the firewall install from the main account I installed it from, so I couldn't uninstall or repair it under other users. Then, it started giving me issue with deleting files, saying I didn't have permission to do so, which was a problem because at some point, I couldn't evne uninstall the firewall or delete its folder and clean the registry to fix the install.

In short, I used the "at" trick to make myself the "system" user. Once I did that, I could uninstall all the crap that was on there, and delete the corrupted files it wouldn't give me access to before. Then, I reinstalled the firewall as "system" and once I rebooted, ALL the other accounts worked fine and nothing was crashing or locking up.

Had I not remembered this little trick, I probably wouldn't have been able to fix those problems short of a backup and reinstall of the OS, which was not something I wanted to spend my day doing, nr have to set up each users programs, etc. Things were really fubared until I was able to have access to the system with full privledges in order to delete and install what I needed.

Props to the sorrow or whoever originally discovered this trick, it came in handy. The potential for legit use of this hack is there, you just need to have a reason to use it.

Link to comment
Share on other sites
The Sorrow Newbie

The Sorrow

Posted
  • Author
Posted
Well, I had a real world practical use of this trick yesterday. I was fixing a computer for someone, when I ran into some issues. In XP Home edition, you don't have access to other users files and can't set ownership like you can in XP Pro. Trying to view another persons documents is blocked. On top of that, I was installing some firewall and anti-virus software, which worked fine on the main acocunt I installed it on, but when you would then login as another user, the firewall would crash under the other user accounts and then you couldn't run any programs, getting an error "can not find the path or file".

So then I tried installing it under each user. That didn't work, because it said I didn't have rights to access the firewall install from the main account I installed it from, so I couldn't uninstall or repair it under other users. Then, it started giving me issue with deleting files, saying I didn't have permission to do so, which was a problem because at some point, I couldn't evne uninstall the firewall or delete its folder and clean the registry to fix the install.

In short, I used the "at" trick to make myself the "system" user. Once I did that, I could uninstall all the crap that was on there, and delete the corrupted files it wouldn't give me access to before. Then, I reinstalled the firewall as "system" and once I rebooted, ALL the other accounts worked fine and nothing was crashing or locking up.

Had I not remembered this little trick, I probably wouldn't have been able to fix those problems short of a backup and reinstall of the OS, which was not something I wanted to spend my day doing, nr have to set up each users programs, etc. Things were really fubared until I was able to have access to the system with full privledges in order to delete and install what I needed.

Props to the sorrow or whoever originally discovered this trick, it came in handy. The potential for legit use of this hack is there, you just need to have a reason to use it.

to be honest me and some buddies were trying to figure out how to get a root login like on linux and went looking around and were never given a straight answer except it uses the at command. So i was trying it out one day and just got tired of it and restarted the explorer on the cmd i brought up and saw SYSTEM in those bold letters and went "Holy shit...i feel epic"

Now i know others have already figured out this trick so i by no means take the honor of being the developer of this hole in the infastructure, in fact i found a video a week later on milw0rm demonstrating this bug in a different way. The only thing i use it for now is changing the background on the .net login screen to mess with my teacher.

Link to comment
Share on other sites
  • 4 months later...
digip Newbie

digip

Posted
Posted

I know old thread, but just wanted to validate, we tried this in class tonight on a server2003 maachien that had security policies in place to lock down certain things. This "AT" command trick not only worked, but unlocked a lot of things as well, so say you were a domain controller, but not logged in as the domain admin, but someone of lesser privledge for dumb things like resetting passwords or whatever the case may be, you effectively become "system", when explorer.exe respawns, you get the configure your server wizard and can then do any function regardless of what your previous system level administration access was.

Still tryign to get something similar to this working on Vista. Figured out how to enable administrator on vista, so you dont have to use runas and authenticate when trying to use elevated privledges, but does require you to use the runas command to enable the feature. Got me thinking, there must be a way to use runas to launch a system level token or sid while respawning a process, like the above explorer.exe trick.

Link to comment
Share on other sites
  • 2 weeks later...
digip Newbie

digip

Posted
Posted
Also has anyone tried this method of escalation to SYSTEM?

Windows-hole-discovered-after-17-years

I will give it a try when I get time (probably in about 3 weeks!)

That snot just th elevle of SYSTEM, thats the Ring 0 kernel exploit. Its as high as you cna go basically, beyond system, since its at the most inner kernel's working level.

You can use a group policy setting to disable the flaw though, as most people arent using 16-bit apps anymore, and if they are, its probably in some shop where they support legacy applications for internal business, and hopefully not accessable by anyone other than IT staff.

http://www.twistedpairrecords.com/blog/201...kernel-exploit/

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...