Jump to content

Gain SYSTEM/Administrative Access to Windows XP/2000

celltoolz

By celltoolz
in Security

 Share

Recommended Posts

temperseed Newbie

temperseed

Posted
Posted
Heres a quick way to get

True, but realy, who doesn't run windows as a non-admin account. Yes, yes, yes, public terminals are an exception. But for individual users, everyone is admin.

mmm, pardon my old ways... im just too used to compromising fast unsecured public used computers for my better use.

PS: Its just alot more fun, when its hard to hack. 8) gets annoying tho... :oops:

Link to comment
Share on other sites
  • Replies 196
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

celltoolz
celltoolz

OK Here it is, Please post some input on what you think. Also im trying to figure out a better way to gain Access to the NTFS partition. Any input welcomed! Gain SYSTEM/Administrative Access to Wi

a5an0 Newbie

a5an0

Posted
Posted
Heres a quick way to get

True, but realy, who doesn't run windows as a non-admin account. Yes, yes, yes, public terminals are an exception. But for individual users, everyone is admin.

mmm, pardon my old ways... im just too used to compromising fast unsecured public used computers for my better use.

PS: Its just alot more fun, when its hard to hack. 8) gets annoying tho... :oops:

fair enough

Link to comment
Share on other sites
Iain Newbie

Iain

Posted
Posted
WTF! I've just been on my new college computers and am able to do so much we couldn't before.........

I'm amazed that this has happened. Presumably the admins are the same people? I may be cynical, but do you think that they have "lowered the guard" to entice folks into probing their system, perhaps to get themselves into trouble? I suppose a kind of honeypot?

Link to comment
Share on other sites
Iain Newbie

Iain

Posted
Posted
I would tell them about it but knowing them they'd persume I've been 'hacking' so may get into trouble.

Good move - I know that it happens. I heard of someone who, with good intention, told a tutor that he'd found some holes in the security and it was, rightly, reported to the IT department. As well as fixing the holes, the guy was punished for probing where he shouldn't.

Link to comment
Share on other sites
kickarse Newbie

kickarse

Posted
Posted

Yeah what I mean is that AT is only available to schedule via an Admin account of if you've set special priv's...

What about in DOS changing priv's on the AT command to allow guest full?

something like

cacls is in the system32 folder...

cacls c:windowssystem32at.exe /E /G Guest:F

Except it can't be run in dos...

?? It's also something that's already on the system, so one less thing to worry about. Plus it's also very inconspicuous...

Link to comment
Share on other sites
Mick Newbie

Mick

Posted
Posted

Hmm...

As far as i can remember, doesn't the BIOS load the first 512 bytes of the first hard drive into the beginning of the RAM, set the execution to real mode, and jump to what you just loaded.

Why not just make a custom FreeDOS floppy.

It would just silently patch the Utilman.exe and then boot from the hard drive.

I would test it but my computer bit the dust.

Link to comment
Share on other sites
w0lo Newbie

w0lo

Posted
Posted

What about shatter attacks, instant Guest>SYSTEM

http://72.14.221.104/search?q=cache:OyUSKJ...mp;client=opera

http://en.wikipedia.org/wiki/Shatter_attack

Hmm...

Why not just make a custom FreeDOS floppy.

It would just silently patch the Utilman.exe and then boot from the hard drive.

Yes, but you need the non free version of the sysinternals ntfs dos tool

Link to comment
Share on other sites
Darren Kitchen Grand Master

Darren Kitchen

Posted
Posted

Re: The Utilman.exe approach

I've downloaded the compiled VBscript, utilman.exe, and replaced c:windowssystem32utilman.exe with it. (A simple matter of copy /y c:utilman.exe c:windowssystem32utilman.exe)

If I run utilman.exe from the command prompt or explorer I get the message box "Hacked XP" and the user NewAdmin appears under Local Users and Groups > Users. However if I try to activate it by pressing Win+U I get the good ol *ding* sound and it doesn't run the file. I've tried it at the login screen and while logged in as an administrator.

Anyone got a clue on this before I start hunting down this feature in MSDN?

Oh, and do you think we could get a version that's a little more subtle? I mean, the message box "Hacked XP" is a little obvious ;)

Link to comment
Share on other sites
celltoolz Newbie

celltoolz

Posted
  • Author
Posted

Try replacing utilman.exe in Safe mode or using the Windows2000 Recovery Console (This is the best method) to replace it. I hope you figure this out. I think WFP is blocking something because its not signed by microsoft. Hmmmm Not sure whats happening, please post if your having any more problems.

Look at Taskmgr and see if its opening up as your username or system

Link to comment
Share on other sites
Darren Kitchen Grand Master

Darren Kitchen

Posted
Posted

Well I was able to replace the file while logged in under an administrative account without any file permission errors. I will try replacing it in safemode soon. This hack has a lot of potential if we can get it to work but there are several caveats such as:

Requires admin to be logged in to replace file, or Safe mode access

OR

Requires booting off external media (floppy, cd, usb) in order to replace file

In many network environments these requirements cannot be met. If the process can be automated (like how the switchblade works) then it would be much more useful, however at that point you've probably already got access to the password hashes, created a backdoor, etc.

Are there any other methods of privledge escalation that we have not explored?

Link to comment
Share on other sites
Sparda Newbie

Sparda

Posted
Posted
Re: The Utilman.exe approach

I've downloaded the compiled VBscript, utilman.exe, and replaced c:windowssystem32utilman.exe with it. (A simple matter of copy /y c:utilman.exe c:windowssystem32utilman.exe)

If I run utilman.exe from the command prompt or explorer I get the message box "Hacked XP" and the user NewAdmin appears under Local Users and Groups > Users. However if I try to activate it by pressing Win+U I get the good ol *ding* sound and it doesn't run the file. I've tried it at the login screen and while logged in as an administrator.

Anyone got a clue on this before I start hunting down this feature in MSDN?

I actualy encountered this problem to day at University, it seems that they have perminantly disabled utilman... insted you could replace the default screen saver and wait for it to appear...

Link to comment
Share on other sites
a1rjamm3r Newbie

a1rjamm3r

Posted
Posted

Well I was looking at a presentation today that ran thru what happens on startup of a Windows XP box and this looks promising, just about to try it out on a VM

Smss then runs any programs defined in HKLMSYSTEMCurrentControlSetControlSession ManagerBootExecute

Smss is the session manager btw (smss.exe)

So you could boot and do something like:

WShell.RegWrite "HKLMSYSTEMCurrentControlSetControlSession ManagerBootExecute", "C:getadmin.exe"

Like I said i'm not entirely sure if this works yet I'll let you know

Link to comment
Share on other sites
a1rjamm3r Newbie

a1rjamm3r

Posted
Posted

Just had another thought how about creating a service thru the registry the services are located at:

HKLMSYSTEMCurrentControlSetServices

I've tried to run a vbs script using a service without success, although h'm sure I've done it before. I know for a fact batch files don't work. Maybe a command line .exe?

Link to comment
Share on other sites
celltoolz Newbie

celltoolz

Posted
  • Author
Posted

Utilman is a alright way of doing this but it can be disabled or not work 100% of the time. So ive been trying other processes and just got it to work using SVCHOST.exe this program is launched as system at the startup and ive already successfully used it to create an admin account. Ill be posting more about this later today..

Link to comment
Share on other sites
  • 2 weeks later...
alextepes Newbie

alextepes

Posted
Posted

I'm new here, and not sure whats been covered or not, But I'd like to say the stuff the hak.5 crew does pushes me more to being a network administrator and learn everything there is to know about pc's, So Here's my way of forcing myself into Windows XP

Some systems are different and if you push F12 and the Boot from CD: screen you can boot in safe mode and go into Administrator and add an Administrator account outside safe mode, Or F8 - F12 not sure which one at this White type Windows XP loading screen brings up the safe mode menu allowing you to do the same thing.

Link to comment
Share on other sites
sircrumpet Newbie

sircrumpet

Posted
Posted
I'm new here, and not sure whats been covered or not, But I'd like to say the stuff the hak.5 crew does pushes me more to being a network administrator and learn everything there is to know about pc's, So Here's my way of forcing myself into Windows XP

Some systems are different and if you push F12 and the Boot from CD: screen you can boot in safe mode and go into Administrator and add an Administrator account outside safe mode, Or F8 - F12 not sure which one at this White type Windows XP loading screen brings up the safe mode menu allowing you to do the same thing.

that works, however it requires that no administrator password be set, and almost any computer running XP Professional or that is in a network (or has a reasonably smart admin) will almost certainly have a password set to the root admin account.

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

I would assume using the screensaver would be a safer bet and more reliable then doing this. You would think the program you are changing would have some kind of sig in it that is checked to stop this kind of hacking happening in the first place. As for needing to boot into something but windows in order to change any of the files like this. You could use a liveCD. But we all know in a network setuation this isnt going to happen as you cant normally gain access to the BIOS to set the option to boot into a cd. But what we can do is write a program that will make the hard drive none bootable. Thus hoping that the cdrom or floopy drive is the next thing set to boot. That way we can get into our own OS in order to change the files around that we need. Once we have changed the things around just fix the hdd back up so it can be booted and boot the system. But of course if we are going to all this truoble just to create an admin account wouldnt it just be easyer to crack the SAM file. At least that way the admin of the network wont notice an extra account.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...