temperseed Posted September 18, 2006 Share Posted September 18, 2006 Heres a quick way to get True, but realy, who doesn't run windows as a non-admin account. Yes, yes, yes, public terminals are an exception. But for individual users, everyone is admin. mmm, pardon my old ways... im just too used to compromising fast unsecured public used computers for my better use. PS: Its just alot more fun, when its hard to hack. 8) gets annoying tho... :oops: Quote Link to comment Share on other sites More sharing options...
a5an0 Posted September 18, 2006 Share Posted September 18, 2006 Heres a quick way to get True, but realy, who doesn't run windows as a non-admin account. Yes, yes, yes, public terminals are an exception. But for individual users, everyone is admin. mmm, pardon my old ways... im just too used to compromising fast unsecured public used computers for my better use. PS: Its just alot more fun, when its hard to hack. 8) gets annoying tho... :oops: fair enough Quote Link to comment Share on other sites More sharing options...
Iain Posted September 19, 2006 Share Posted September 19, 2006 WTF! I've just been on my new college computers and am able to do so much we couldn't before......... I'm amazed that this has happened. Presumably the admins are the same people? I may be cynical, but do you think that they have "lowered the guard" to entice folks into probing their system, perhaps to get themselves into trouble? I suppose a kind of honeypot? Quote Link to comment Share on other sites More sharing options...
temperseed Posted September 19, 2006 Share Posted September 19, 2006 yup, act stupid, steal the admin password, and simply let em put up all the security they want (hopefully he wont change his password) 8) Quote Link to comment Share on other sites More sharing options...
Iain Posted September 19, 2006 Share Posted September 19, 2006 I would tell them about it but knowing them they'd persume I've been 'hacking' so may get into trouble. Good move - I know that it happens. I heard of someone who, with good intention, told a tutor that he'd found some holes in the security and it was, rightly, reported to the IT department. As well as fixing the holes, the guy was punished for probing where he shouldn't. Quote Link to comment Share on other sites More sharing options...
kickarse Posted September 19, 2006 Share Posted September 19, 2006 ^^ It works in SP2 only if you Admin already... and they changes it to a different command and I can't remember what that is at the moment... What about injecting directly into the sam via dos? Quote Link to comment Share on other sites More sharing options...
kickarse Posted September 20, 2006 Share Posted September 20, 2006 Yeah what I mean is that AT is only available to schedule via an Admin account of if you've set special priv's... What about in DOS changing priv's on the AT command to allow guest full? something like cacls is in the system32 folder... cacls c:windowssystem32at.exe /E /G Guest:F Except it can't be run in dos... ?? It's also something that's already on the system, so one less thing to worry about. Plus it's also very inconspicuous... Quote Link to comment Share on other sites More sharing options...
Mick Posted September 20, 2006 Share Posted September 20, 2006 Hmm... As far as i can remember, doesn't the BIOS load the first 512 bytes of the first hard drive into the beginning of the RAM, set the execution to real mode, and jump to what you just loaded. Why not just make a custom FreeDOS floppy. It would just silently patch the Utilman.exe and then boot from the hard drive. I would test it but my computer bit the dust. Quote Link to comment Share on other sites More sharing options...
w0lo Posted September 20, 2006 Share Posted September 20, 2006 What about shatter attacks, instant Guest>SYSTEM http://72.14.221.104/search?q=cache:OyUSKJ...mp;client=opera http://en.wikipedia.org/wiki/Shatter_attack Hmm...Why not just make a custom FreeDOS floppy. It would just silently patch the Utilman.exe and then boot from the hard drive. Yes, but you need the non free version of the sysinternals ntfs dos tool Quote Link to comment Share on other sites More sharing options...
celltoolz Posted September 20, 2006 Author Share Posted September 20, 2006 I like the shatter attack.. Sounds very interesting, something that im gonna look more into for sure. There must be thousounds of ways to gain system privileges from another process. LoL good one again at MS Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 21, 2006 Share Posted September 21, 2006 Re: The Utilman.exe approach I've downloaded the compiled VBscript, utilman.exe, and replaced c:windowssystem32utilman.exe with it. (A simple matter of copy /y c:utilman.exe c:windowssystem32utilman.exe) If I run utilman.exe from the command prompt or explorer I get the message box "Hacked XP" and the user NewAdmin appears under Local Users and Groups > Users. However if I try to activate it by pressing Win+U I get the good ol *ding* sound and it doesn't run the file. I've tried it at the login screen and while logged in as an administrator. Anyone got a clue on this before I start hunting down this feature in MSDN? Oh, and do you think we could get a version that's a little more subtle? I mean, the message box "Hacked XP" is a little obvious ;) Quote Link to comment Share on other sites More sharing options...
celltoolz Posted September 21, 2006 Author Share Posted September 21, 2006 Try replacing utilman.exe in Safe mode or using the Windows2000 Recovery Console (This is the best method) to replace it. I hope you figure this out. I think WFP is blocking something because its not signed by microsoft. Hmmmm Not sure whats happening, please post if your having any more problems. Look at Taskmgr and see if its opening up as your username or system Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 21, 2006 Share Posted September 21, 2006 Well I was able to replace the file while logged in under an administrative account without any file permission errors. I will try replacing it in safemode soon. This hack has a lot of potential if we can get it to work but there are several caveats such as: Requires admin to be logged in to replace file, or Safe mode access OR Requires booting off external media (floppy, cd, usb) in order to replace file In many network environments these requirements cannot be met. If the process can be automated (like how the switchblade works) then it would be much more useful, however at that point you've probably already got access to the password hashes, created a backdoor, etc. Are there any other methods of privledge escalation that we have not explored? Quote Link to comment Share on other sites More sharing options...
kickarse Posted September 21, 2006 Share Posted September 21, 2006 SAM injection? Quote Link to comment Share on other sites More sharing options...
Sparda Posted September 21, 2006 Share Posted September 21, 2006 Re: The Utilman.exe approachI've downloaded the compiled VBscript, utilman.exe, and replaced c:windowssystem32utilman.exe with it. (A simple matter of copy /y c:utilman.exe c:windowssystem32utilman.exe) If I run utilman.exe from the command prompt or explorer I get the message box "Hacked XP" and the user NewAdmin appears under Local Users and Groups > Users. However if I try to activate it by pressing Win+U I get the good ol *ding* sound and it doesn't run the file. I've tried it at the login screen and while logged in as an administrator. Anyone got a clue on this before I start hunting down this feature in MSDN? I actualy encountered this problem to day at University, it seems that they have perminantly disabled utilman... insted you could replace the default screen saver and wait for it to appear... Quote Link to comment Share on other sites More sharing options...
a1rjamm3r Posted September 22, 2006 Share Posted September 22, 2006 Well I was looking at a presentation today that ran thru what happens on startup of a Windows XP box and this looks promising, just about to try it out on a VM Smss then runs any programs defined in HKLMSYSTEMCurrentControlSetControlSession ManagerBootExecute Smss is the session manager btw (smss.exe) So you could boot and do something like: WShell.RegWrite "HKLMSYSTEMCurrentControlSetControlSession ManagerBootExecute", "C:getadmin.exe" Like I said i'm not entirely sure if this works yet I'll let you know Quote Link to comment Share on other sites More sharing options...
Iain Posted September 22, 2006 Share Posted September 22, 2006 Interesting idea - the value on my XP Pro is <autocheck autochk *> at that point. I'll also look into this. Quote Link to comment Share on other sites More sharing options...
a1rjamm3r Posted September 22, 2006 Share Posted September 22, 2006 Well from a quick check it doesn't appear to work, I inserted C:WINDOWSnotepad.exe and expected to see the welcoming white space however it didn't work. I'm still investigating however Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 22, 2006 Share Posted September 22, 2006 Well from a quick check it doesn't appear to work, I inserted C:WINDOWSnotepad.exe and expected to see the welcoming white space however it didn't work.I'm still investigating however I did the same thing with no results. I just get a ding. :( Quote Link to comment Share on other sites More sharing options...
a1rjamm3r Posted September 22, 2006 Share Posted September 22, 2006 Just had another thought how about creating a service thru the registry the services are located at: HKLMSYSTEMCurrentControlSetServices I've tried to run a vbs script using a service without success, although h'm sure I've done it before. I know for a fact batch files don't work. Maybe a command line .exe? Quote Link to comment Share on other sites More sharing options...
celltoolz Posted September 23, 2006 Author Share Posted September 23, 2006 Utilman is a alright way of doing this but it can be disabled or not work 100% of the time. So ive been trying other processes and just got it to work using SVCHOST.exe this program is launched as system at the startup and ive already successfully used it to create an admin account. Ill be posting more about this later today.. Quote Link to comment Share on other sites More sharing options...
Mick Posted September 25, 2006 Share Posted September 25, 2006 Has anyone tried making an app to launch explorer.exe. (and maybe kill winlogon.exe if necessary). It would double as a secutiry exploit and an activation hack :twisted:. Also, wouldn't this give you a SYSTEM level account instead of an Admin. Quote Link to comment Share on other sites More sharing options...
alextepes Posted October 4, 2006 Share Posted October 4, 2006 I'm new here, and not sure whats been covered or not, But I'd like to say the stuff the hak.5 crew does pushes me more to being a network administrator and learn everything there is to know about pc's, So Here's my way of forcing myself into Windows XP Some systems are different and if you push F12 and the Boot from CD: screen you can boot in safe mode and go into Administrator and add an Administrator account outside safe mode, Or F8 - F12 not sure which one at this White type Windows XP loading screen brings up the safe mode menu allowing you to do the same thing. Quote Link to comment Share on other sites More sharing options...
sircrumpet Posted October 5, 2006 Share Posted October 5, 2006 I'm new here, and not sure whats been covered or not, But I'd like to say the stuff the hak.5 crew does pushes me more to being a network administrator and learn everything there is to know about pc's, So Here's my way of forcing myself into Windows XP Some systems are different and if you push F12 and the Boot from CD: screen you can boot in safe mode and go into Administrator and add an Administrator account outside safe mode, Or F8 - F12 not sure which one at this White type Windows XP loading screen brings up the safe mode menu allowing you to do the same thing. that works, however it requires that no administrator password be set, and almost any computer running XP Professional or that is in a network (or has a reasonably smart admin) will almost certainly have a password set to the root admin account. Quote Link to comment Share on other sites More sharing options...
Guest Posted October 5, 2006 Share Posted October 5, 2006 I would assume using the screensaver would be a safer bet and more reliable then doing this. You would think the program you are changing would have some kind of sig in it that is checked to stop this kind of hacking happening in the first place. As for needing to boot into something but windows in order to change any of the files like this. You could use a liveCD. But we all know in a network setuation this isnt going to happen as you cant normally gain access to the BIOS to set the option to boot into a cd. But what we can do is write a program that will make the hard drive none bootable. Thus hoping that the cdrom or floopy drive is the next thing set to boot. That way we can get into our own OS in order to change the files around that we need. Once we have changed the things around just fix the hdd back up so it can be booted and boot the system. But of course if we are going to all this truoble just to create an admin account wouldnt it just be easyer to crack the SAM file. At least that way the admin of the network wont notice an extra account. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.