Jump to content

Gain SYSTEM/Administrative Access to Windows XP/2000


celltoolz

Recommended Posts

net user Accountname Accountpassword /add 2>nul
net localgroup Administratoren Accountname /add 2>nul || net localgroup administrators Accountname /add 2>nul
net localgroup Benutzer Accountname /delete 2>nul || net localgroup users Accountname /delete 2>nul
reg.exe add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList" /v Accountname /t REG_DWORD /d 0 2>nul

I have some questions about this:

1. What's the reason for adding the new account to the SpecialAccounts\UserList? I realise that these accounts are built in automatically and aren't ordinary user accounts.

2. Is it possible to add a user whilst offline - for instance using Bart's PE or Windows PE live CD?

3. Is it possible to create a service (again, whilst offline) which runs as System and is running at the time that the logon screen appears?

Since the original post was made long time ago, does the method still work on XP professional sp3?

No, the utilman method doesn't work on my fully patched XP Pro SP3 system. It fails whether I put the renamed cmd.exe --> utilman.exe only into c:\windows\system32 or c:\windows\system32\dllcache or into both folders. I don't know how it's bypassed - perhaps the MD5 (or other signature) of the file is assessed so utilman.exe runs ONLY if it's the real thing?

Does anyone have any information about how Microsoft have closed this security hole? What about other ways of adding a new administrator-level account?

Link to comment
Share on other sites

Offline you basically have complete control. The methods in this thread are attempts at online permission escalation.

Yes, barpe + any password tool that can edit an offline sam database well work...

So, if I run Bart's PE as a live CD, I can add a new account to the local machine and it will show up when rebooted? I've tried the <net user Name /add> trick then added Name to the Administrators localgroup by using a Windows PE live disk and, whilst it says "Task completed successfully" (or similar), the new account isn't there when I booted into Windows.

Can I create a service on the local PC using Bart's PE? Again, I've tried with Windows PE and it failed.

Link to comment
Share on other sites

1. What's the reason for adding the new account to the SpecialAccounts\UserList? I realise that these accounts are built in automatically and aren't ordinary user accounts.

2. Is it possible to add a user whilst offline - for instance using Bart's PE or Windows PE live CD?

3. Is it possible to create a service (again, whilst offline) which runs as System and is running at the time that the logon screen appears?

1. This is done to hide the account on the welcome screen on an ordinary windows xp/vista installation

2. I guess so, but I never did that.

3. see 2.

Link to comment
Share on other sites

1. This is done to hide the account on the welcome screen on an ordinary windows xp/vista installation

You can also get it not to display on the welcome screen by simply making sure the accounts not in the users group. It won't show though it belongs to the administrators group as long as this is so

Link to comment
Share on other sites

You haft to use a special program that can perform operations on an offline sam file. Using net from the command line won't work because you're operating on the temp. sam file for that instance of PE.

But I didn't use net.exe from the CD (the "installation" in RAM is designated automatically to x:, i.e. x:\windows\system32\net.exe). I navigated to net.exe on my XPP installation, i.e. c:\windows\system32\net.exe. I thought that, if I navigated to the installed net.exe, it would add the user as I had wanted. I'm interested to know WHY it didn't. Can anyone shed any light on this please?

Do you have any recommendations about an offline SAM manipulation utility? I'll look into it myself but am interested to have any recommendations.

1. This is done to hide the account on the welcome screen on an ordinary windows xp/vista installation

2. I guess so, but I never did that.

3. see 2.

OK - thank you.

Link to comment
Share on other sites

  • 2 weeks later...
  • 2 weeks later...

I have a workaround for admin rights.

<not mine src="can't remember">

1) find a service that doesn't use quotes in the executable reference and has user writeable directories with a space in the name.

eg C:\Program Files\Dumb Admin Installed Stuff\srvc.exe (program files dir not writable usually but i'm lazy)

2) insert an exe that creates an admin account into C:\Program Files\Dumb.exe

3) reboot

windows handles unquoted spaces by checking for C:\Program >C:\Program Files\Dumb > C:\Program Files\Dumb Admin >C:\Program Files\Dumb Admin Installed >C:\Program Files\Dumb Admin Installed Stuff\srvc.exe

after the file is inserted it will be executed in place of the service when windows looks for C:\Program Files\Dumb

</not mine>

Also, does anyone know of a way to make the user created by "net user" not have a profile path.

My current workaround for this is to make the profile path a hidden & system file, but clean up when i'm done via a autoit script (eventually an exe) that removes all obvious traces of the user and the script/exe fails 'cause the user is still using it and it would be best anyways to not have it there at all in the first place 'cause that's just more footprints for people to find.

Thanks.

hax

Link to comment
Share on other sites

  • 2 months later...

I wont give away the full details lol, but you could very easily make an auto deploying boot disk so that on next reboot you have 100% control of the system.

Assuming you have even a little coding experience at least

Mine takes about 30 seconds to boot + deploy. With no user input

Ill give you a rundown in english and tell you that I based my boot disk off of a linux live cd.

1) you put in disk and boot up.

2) boot p script loads the very core of a linux distrobution and deploys an executable into the windows folder. It also edits a reg key to make it boot up before user permissions are established. (bash and c++ )

3) On next boot a series of things happen, the program deletes the reg key and makes a ifferent one with the same exploit Confiker uses to make a SYSTEM only reg key. It then gains SYSTEM level access via an exploit in all windows platforms, that is as of yet unpatched. (c++)

4) SO right now we have two things, a reg key and a file, both undeletable by noormal means. The file copies itself deeper into the Windows Tree. Then starts its main code which can be customized completely. ( c++ )

This entire time its acted normally and because it is a legitimatly named program ( I named it like 1 letter off a real MS program lol.) noone will delete it.

Link to comment
Share on other sites

  • 3 months later...

I just had a thought. could one put an app vulnerable to a stack overflow on a usb and exploit it on the system one wants to get admin/system on?

EDIT: Never mind. I just learned a little more about buffer overflows and it looks like that won't work. It would be nice to be able to debug the whole os, or at least the parts that would be hard for MS to patch, and find every segfault to check for buffer overflow exploitability.

Link to comment
Share on other sites

  • 3 weeks later...
  • 1 month later...
  • 2 years later...

Stupid ... why is this pinned .. requires reboot .. so who cares ..

Its a thread from 2006, when windows 2000 was prevalent. You can still find windows 2000 machines both on the internet, and in the corporate lan with vulnerable services packs or no service packs. All one has to do is look for them on Shodan. Although, I do agree, it is a tad outdated and mostly a historical thread.

Link to comment
Share on other sites

i think the idea was that you wouldn't look like you're doing something you shouldn't in some place like a university computer lab <_<

it's not terribly practical for anything else but it's an interesting challenge. also by coincidence, today a friend* of mine was poking around his university's network and happened upon a public kiosk that allowed him as a non-admin user to use the at command trick. not to say it's supposed to work that way but there's not likely to be any harm in trying.

* as i am no longer in school this really isn't me :P

edit: damn non ascii emiticons :/

Edited by haxwithaxe
Link to comment
Share on other sites

  • 1 year later...
  • 2 months later...

Sticky Keys Trick



booting off a repair disk, opening a command prompt, and copying cmd.exe over top of sethc.exe. Once you've done that, you can boot back up into Windows until you get to the login prompt, press the Shift key 5 times, and you'll see a command prompt where you can use the net user command to reset the password or add your own admin account.


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...