Escalation - Getting Privs as Guest

[kickarse]

So I stumbled across this *ahem* on digg

http://www.pandora-security.com/forum/viewtopic.php?t=2093

I haven't gotten it to work at work. I'm sys admin here running a domain. I had my user as guest and normal user and both won't allow this. So i don't know what patches I have that disallow this.

[melodic]

looks cool man thanks for the link

i will check it out :)

EDIT

DUDE FUCK ME! thats well goood!!!

thanks so much for the link...damn windows pcs :P

[kickarse]

do you have SP2?

[melodic]

yeah i do with all latest updates installed, and it still worked :P

[kickarse]

As a guest, regular user, or as admin?

[melodic]

admin...why?

it should work on nearly ANY xp machine. i think that tut should be copied here with a link to the orginal, and this thread or the new thread should be sticky'd

what you say cooper?

[cooper]

We'd need some interest for this thread first.

This thing does have big potential. I mean, hack an XP box remotely so you get a shell. Download some shitty server proggy that will do your bidding, and use the 'at' command to schedule it's starting in the next minute.

BOOM! Instant god-mode in XP.

If this truly is that simple (i.e. try it as guest first. Then we'll talk) this is a huge snafu for Microsoft. But don't worry, Trusted Computing is still on track. ;)

[melodic]

i will test tomorrow unless someone will test now? and post screenshots and things like i have a tip for it.

DONT cloe the cmd your account opens, cos then you can kill the explorer the system account makes :P and then reopen YOUR explorer in your cmd window

[Jester]

tried it as a guest account and with a default setup Guest does not have access to the "at" command now a default setup nor does it work with a limited user account with defautl setup on an XP Pro machine.

[kickarse]

Yeah I already explained that it doesn't work as guest or normal user accounts. As admin your golden, but it still gives you access to kernel so it's still highly useful as admin.

We might have to find some other ways of escalation to at least admin, then this would rock.

[anditwasgood]

This is what I get in Vista.

[Sparda]

I tried this on Windows 2000 SP4 and it didn't work.

[kickarse]

There's also been some mention of MSOOBE.exe being able to escalate priv's. I think if you run msoobe.exe with an Alternate data stream you might be able to escalate there too.

[Iain]

I'd be interested to know if this works. I know that the "at xx:yy /interactive ...." trick doesn't work on a fully patched XP Pro SP2 when logged on with limited rights.

There *must* be a way of doing it, it just hasn't been found yet! I know that access to files can be obtained using Knoppix, BartsPE etc., but that seems like cheating.

[kickarse]

Yeah, it's not as fun when you have a boot disk to pop in when your compromising at Best Buy ... err...

The best thing is even as Guest that you can escalate priv's... with some a simple command line hack.

[Iain]

The best thing is even as Guest that you can escalate priv's... with some a simple command line hack.

I thought that was how this thread started and the technique presented has been kicked into touch for a fully patched XP Pro SP2. Use of MSOOBE.exe sounds interesting.