Jump to content

Gain SYSTEM/Administrative Access to Windows XP/2000


celltoolz
 Share

Recommended Posts

Heres a quick way to get

True, but realy, who doesn't run windows as a non-admin account. Yes, yes, yes, public terminals are an exception. But for individual users, everyone is admin.

mmm, pardon my old ways... im just too used to compromising fast unsecured public used computers for my better use.

PS: Its just alot more fun, when its hard to hack. 8) gets annoying tho... :oops:

Link to comment
Share on other sites

  • Replies 196
  • Created
  • Last Reply

Top Posters In This Topic

Heres a quick way to get

True, but realy, who doesn't run windows as a non-admin account. Yes, yes, yes, public terminals are an exception. But for individual users, everyone is admin.

mmm, pardon my old ways... im just too used to compromising fast unsecured public used computers for my better use.

PS: Its just alot more fun, when its hard to hack. 8) gets annoying tho... :oops:

fair enough

Link to comment
Share on other sites

WTF! I've just been on my new college computers and am able to do so much we couldn't before.........

I'm amazed that this has happened. Presumably the admins are the same people? I may be cynical, but do you think that they have "lowered the guard" to entice folks into probing their system, perhaps to get themselves into trouble? I suppose a kind of honeypot?

Link to comment
Share on other sites

I would tell them about it but knowing them they'd persume I've been 'hacking' so may get into trouble.

Good move - I know that it happens. I heard of someone who, with good intention, told a tutor that he'd found some holes in the security and it was, rightly, reported to the IT department. As well as fixing the holes, the guy was punished for probing where he shouldn't.

Link to comment
Share on other sites

Yeah what I mean is that AT is only available to schedule via an Admin account of if you've set special priv's...

What about in DOS changing priv's on the AT command to allow guest full?

something like

cacls is in the system32 folder...

cacls c:windowssystem32at.exe /E /G Guest:F

Except it can't be run in dos...

?? It's also something that's already on the system, so one less thing to worry about. Plus it's also very inconspicuous...

Link to comment
Share on other sites

Hmm...

As far as i can remember, doesn't the BIOS load the first 512 bytes of the first hard drive into the beginning of the RAM, set the execution to real mode, and jump to what you just loaded.

Why not just make a custom FreeDOS floppy.

It would just silently patch the Utilman.exe and then boot from the hard drive.

I would test it but my computer bit the dust.

Link to comment
Share on other sites

What about shatter attacks, instant Guest>SYSTEM

http://72.14.221.104/search?q=cache:OyUSKJ...mp;client=opera

http://en.wikipedia.org/wiki/Shatter_attack

Hmm...

Why not just make a custom FreeDOS floppy.

It would just silently patch the Utilman.exe and then boot from the hard drive.

Yes, but you need the non free version of the sysinternals ntfs dos tool

Link to comment
Share on other sites

Re: The Utilman.exe approach

I've downloaded the compiled VBscript, utilman.exe, and replaced c:windowssystem32utilman.exe with it. (A simple matter of copy /y c:utilman.exe c:windowssystem32utilman.exe)

If I run utilman.exe from the command prompt or explorer I get the message box "Hacked XP" and the user NewAdmin appears under Local Users and Groups > Users. However if I try to activate it by pressing Win+U I get the good ol *ding* sound and it doesn't run the file. I've tried it at the login screen and while logged in as an administrator.

Anyone got a clue on this before I start hunting down this feature in MSDN?

Oh, and do you think we could get a version that's a little more subtle? I mean, the message box "Hacked XP" is a little obvious ;)

Link to comment
Share on other sites

Try replacing utilman.exe in Safe mode or using the Windows2000 Recovery Console (This is the best method) to replace it. I hope you figure this out. I think WFP is blocking something because its not signed by microsoft. Hmmmm Not sure whats happening, please post if your having any more problems.

Look at Taskmgr and see if its opening up as your username or system

Link to comment
Share on other sites

Well I was able to replace the file while logged in under an administrative account without any file permission errors. I will try replacing it in safemode soon. This hack has a lot of potential if we can get it to work but there are several caveats such as:

Requires admin to be logged in to replace file, or Safe mode access

OR

Requires booting off external media (floppy, cd, usb) in order to replace file

In many network environments these requirements cannot be met. If the process can be automated (like how the switchblade works) then it would be much more useful, however at that point you've probably already got access to the password hashes, created a backdoor, etc.

Are there any other methods of privledge escalation that we have not explored?

Link to comment
Share on other sites

Re: The Utilman.exe approach

I've downloaded the compiled VBscript, utilman.exe, and replaced c:windowssystem32utilman.exe with it. (A simple matter of copy /y c:utilman.exe c:windowssystem32utilman.exe)

If I run utilman.exe from the command prompt or explorer I get the message box "Hacked XP" and the user NewAdmin appears under Local Users and Groups > Users. However if I try to activate it by pressing Win+U I get the good ol *ding* sound and it doesn't run the file. I've tried it at the login screen and while logged in as an administrator.

Anyone got a clue on this before I start hunting down this feature in MSDN?

I actualy encountered this problem to day at University, it seems that they have perminantly disabled utilman... insted you could replace the default screen saver and wait for it to appear...

Link to comment
Share on other sites

Well I was looking at a presentation today that ran thru what happens on startup of a Windows XP box and this looks promising, just about to try it out on a VM

Smss then runs any programs defined in HKLMSYSTEMCurrentControlSetControlSession ManagerBootExecute

Smss is the session manager btw (smss.exe)

So you could boot and do something like:

WShell.RegWrite "HKLMSYSTEMCurrentControlSetControlSession ManagerBootExecute", "C:getadmin.exe"

Like I said i'm not entirely sure if this works yet I'll let you know

Link to comment
Share on other sites

Just had another thought how about creating a service thru the registry the services are located at:

HKLMSYSTEMCurrentControlSetServices

I've tried to run a vbs script using a service without success, although h'm sure I've done it before. I know for a fact batch files don't work. Maybe a command line .exe?

Link to comment
Share on other sites

Utilman is a alright way of doing this but it can be disabled or not work 100% of the time. So ive been trying other processes and just got it to work using SVCHOST.exe this program is launched as system at the startup and ive already successfully used it to create an admin account. Ill be posting more about this later today..

Link to comment
Share on other sites

  • 2 weeks later...

I'm new here, and not sure whats been covered or not, But I'd like to say the stuff the hak.5 crew does pushes me more to being a network administrator and learn everything there is to know about pc's, So Here's my way of forcing myself into Windows XP

Some systems are different and if you push F12 and the Boot from CD: screen you can boot in safe mode and go into Administrator and add an Administrator account outside safe mode, Or F8 - F12 not sure which one at this White type Windows XP loading screen brings up the safe mode menu allowing you to do the same thing.

Link to comment
Share on other sites

I'm new here, and not sure whats been covered or not, But I'd like to say the stuff the hak.5 crew does pushes me more to being a network administrator and learn everything there is to know about pc's, So Here's my way of forcing myself into Windows XP

Some systems are different and if you push F12 and the Boot from CD: screen you can boot in safe mode and go into Administrator and add an Administrator account outside safe mode, Or F8 - F12 not sure which one at this White type Windows XP loading screen brings up the safe mode menu allowing you to do the same thing.

that works, however it requires that no administrator password be set, and almost any computer running XP Professional or that is in a network (or has a reasonably smart admin) will almost certainly have a password set to the root admin account.

Link to comment
Share on other sites

I would assume using the screensaver would be a safer bet and more reliable then doing this. You would think the program you are changing would have some kind of sig in it that is checked to stop this kind of hacking happening in the first place. As for needing to boot into something but windows in order to change any of the files like this. You could use a liveCD. But we all know in a network setuation this isnt going to happen as you cant normally gain access to the BIOS to set the option to boot into a cd. But what we can do is write a program that will make the hard drive none bootable. Thus hoping that the cdrom or floopy drive is the next thing set to boot. That way we can get into our own OS in order to change the files around that we need. Once we have changed the things around just fix the hdd back up so it can be booted and boot the system. But of course if we are going to all this truoble just to create an admin account wouldnt it just be easyer to crack the SAM file. At least that way the admin of the network wont notice an extra account.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...