kapios Posted February 4, 2012 Share Posted February 4, 2012 my job upgraded to win7 and now all admin rights have been revoked...meaning that i can not install a thing. Tried ophcrack and other software to get or reset admin password but they also imposed a new group policy and no lanhashes are stored. is there any way to either get the admin password, or add a new admin user that i could then use to install progs? Im not really concerned about them finding out - i just want to be able to add some basic programs. thanks! Quote Link to comment Share on other sites More sharing options...
digip Posted February 4, 2012 Share Posted February 4, 2012 my job upgraded to win7 and now all admin rights have been revoked...meaning that i can not install a thing. Tried ophcrack and other software to get or reset admin password but they also imposed a new group policy and no lanhashes are stored. is there any way to either get the admin password, or add a new admin user that i could then use to install progs? Im not really concerned about them finding out - i just want to be able to add some basic programs. thanks! Depends on the policy and if your login is Domain only and if they even have local admin accounts for non-domain logins. You would have to boot locally to add a local user. What you can try though, is 1, right click anything like a cmd window shortcut, and click "Run as Administrator". If they enabled admin accounts with no password prompt, it will launch it as admin, then can start any process as admin from a console. If that works, then try the next one - 2, elevate your privileges to SYSTEM. Try the following, in a BAT script. This will make you SYSTEM, and while so, some things will work, some will not, but should allow you to install software if it runs and add local users as admin, so later on, when you need to do something as admin, right click, run as, and pick the new local user you created. @echo off @break off title root cls sc create evil binpath= "cmd.exe /K start" type= own type= interact > nul 2>&1 pause sc start evil > nul 2>&1 pause whoami pause rem ping 127.0.0.1 -n 4 > nul 2>&1 echo Removing service. echo. sc delete evil > nul 2>&1 Save it as SYSTEM.bat, right click it, and "Run as administrator". And 3rd, boot off a live windows disc, like UBCD4WIN, and add a new user to the system with admin capabilities, reboot, logon locally with that account to do your install for ALL users, reboot and log back on to the domain and hope the files show up in the start menu. Mind you, any of these methods, could get you fired. You are messing with your employers machines, and if they have policies in place you bypass, you could also be breaking the law if something unexpectedly bad happens on the network as a result(virii, malware outbreak due to you bypassing restrictions, etc). You do so at your own risk. Quote Link to comment Share on other sites More sharing options...
kapios Posted February 4, 2012 Author Share Posted February 4, 2012 Depends on the policy and if your login is Domain only and if they even have local admin accounts for non-domain logins. You would have to boot locally to add a local user. What you can try though, is 1, right click anything like a cmd window shortcut, and click "Run as Administrator". If they enabled admin accounts with no password prompt, it will launch it as admin, then can start any process as admin from a console. If that works, then try the next one - 2, elevate your privileges to SYSTEM. Try the following, in a BAT script. This will make you SYSTEM, and while so, some things will work, some will not, but should allow you to install software if it runs and add local users as admin, so later on, when you need to do something as admin, right click, run as, and pick the new local user you created. @echo off @break off title root cls sc create evil binpath= "cmd.exe /K start" type= own type= interact > nul 2>&1 pause sc start evil > nul 2>&1 pause whoami pause rem ping 127.0.0.1 -n 4 > nul 2>&1 echo Removing service. echo. sc delete evil > nul 2>&1 Save it as SYSTEM.bat, right click it, and "Run as administrator". And 3rd, boot off a live windows disc, like UBCD4WIN, and add a new user to the system with admin capabilities, reboot, logon locally with that account to do your install for ALL users, reboot and log back on to the domain and hope the files show up in the start menu. Mind you, any of these methods, could get you fired. You are messing with your employers machines, and if they have policies in place you bypass, you could also be breaking the law if something unexpectedly bad happens on the network as a result(virii, malware outbreak due to you bypassing restrictions, etc). You do so at your own risk. Thank you very much for the reply. I was not aware that I can add admin users with UBCD4WIN and the like. Sounds like this is my best option. Yes, my login is Domain only and there are no admin accts with no pwd prompt. I will prep a UBCD4WIN and try that method. At worst, if they find out, i would only get a slap on the wrist. I plan to install a virtual environment, so i would not mess up the machine or introduce any virus to the network. Thanks again! Quote Link to comment Share on other sites More sharing options...
Remotesh Posted February 5, 2012 Share Posted February 5, 2012 Just in case UBCD4WIN doesn't work. (It didn't work at my school D: ) Why not use portable apps? Run the programs off of your flash-drive. Is there any programs in particular that you have in mind? At my school they have the student accounts locked down pretty solid and I use this to circumvent most of the restrictions. Or you could pop a flash-drive with a Live CD and you can go to town. Just my two cents. --Remotesh Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted February 5, 2012 Share Posted February 5, 2012 (edited) Just in case UBCD4WIN doesn't work. (It didn't work at my school D: ) Your system admin must have locked down the option booting from USB or CD in the BIOS. For the OP, you could use either UBCD4WIN or Hiren's boot CD, which is what I used before to reset my work's computer admin password. But there is an utility in Hiren's boot CD that will allow you to create a local user account. If that doesn't work, group police must be disabling local logins or completely wiping off the account. A word of caution for the OP, just be careful not to get caught. Edited February 5, 2012 by Infiltrator Quote Link to comment Share on other sites More sharing options...
kapios Posted February 5, 2012 Author Share Posted February 5, 2012 Your system admin must have locked down the option booting from USB or CD in the BIOS. For the OP, you could use either UBCD4WIN or Hiren's boot CD, which is what I used before to reset my work's computer admin password. But there is an utility in Hiren's boot CD that will allow you to create a local user account. If that doesn't work, group police must be disabling local logins or completely wiping off the account. A word of caution for the OP, just be careful not to get caught. I'll give Hiren's Boot CD a shot. I'm hoping that I can just add a new admin id and login locally. If local logins disabled, am I sol? Is there no way to alter the group policies in say, safe mode (assuming that I can get to safe mode)? I know that there exist an "Administrator" and a "Guest" (disabled) id on the machine. The IT guy used that Admin id to allow java to install an upgrade recently on my machine... Quote Link to comment Share on other sites More sharing options...
kapios Posted February 5, 2012 Author Share Posted February 5, 2012 I'll give Hiren's Boot CD a shot. I'm hoping that I can just add a new admin id and login locally. If local logins disabled, am I sol? Is there no way to alter the group policies in say, safe mode (assuming that I can get to safe mode)? I know that there exist an "Administrator" and a "Guest" (disabled) id on the machine. The IT guy used that Admin id to allow java to install an upgrade recently on my machine... Looking at the utilities on Hiren's and UBCD..... which allows one to add a new user to the existing installation? Quote Link to comment Share on other sites More sharing options...
digip Posted February 5, 2012 Share Posted February 5, 2012 If joined to the domain, group policies come from the domain controller and will be overwritten every time you login with changes pushed down from Active Directory and the domain controller. Personally, if there were things you needed, I would just ask IT to install something for you, vs fucking around with work computers. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted February 6, 2012 Share Posted February 6, 2012 If joined to the domain, group policies come from the domain controller and will be overwritten every time you login with changes pushed down from Active Directory and the domain controller. Personally, if there were things you needed, I would just ask IT to install something for you, vs fucking around with work computers. That would be the option and you won't get in trouble. But if you keep on trying to bypass their computer restrictions they will certainly not be happy with you. Another thing you could try, is asking your IT department if you could install a virtual machine on your computer, and just do whatever you want to do with it but again that could be against your company policy. Your best bet is talk talk to them first. Good luck. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted February 14, 2012 Share Posted February 14, 2012 I was just dealing with a similar problem earlier, win7 machine and needed to get around UAC and I had no admin rights. My solution was to get a meterpreter session via a java app attack. Once I had the session there is a module called bypassuac that utilizes the trusted published certificate via process injection, so it will upload a new payload which writes to disk (and extremely surprisingly it wasn't picked up by antivirus, don't know why, tested on several win7 machines also) and when it executes the payload it will spawn a new session with no UAC. From here you can do your getsystem and hashdump and all ops that require admin or higher privileges. Quote Link to comment Share on other sites More sharing options...
digip Posted February 15, 2012 Share Posted February 15, 2012 I was just dealing with a similar problem earlier, win7 machine and needed to get around UAC and I had no admin rights. My solution was to get a meterpreter session via a java app attack. Once I had the session there is a module called bypassuac that utilizes the trusted published certificate via process injection, so it will upload a new payload which writes to disk (and extremely surprisingly it wasn't picked up by antivirus, don't know why, tested on several win7 machines also) and when it executes the payload it will spawn a new session with no UAC. From here you can do your getsystem and hashdump and all ops that require admin or higher privileges. As far as I know, Rel1k's bypass UAC attack, writes directly to memory, and never touches the disk, part of why its not found by most Anti-virus apps. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted February 15, 2012 Share Posted February 15, 2012 If I understood everything correctly, it uploads a payload to a temporary directory (or you can specify a directory to use) on the filesystem. When I uploaded this payload manually independent of the module, it was detected by both ESET and MS Security Essentials, however when I loaded the bypassuac module and let it work it's magic, nothing was detected. Weird. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted February 15, 2012 Share Posted February 15, 2012 If I understood everything correctly, it uploads a payload to a temporary directory (or you can specify a directory to use) on the filesystem. When I uploaded this payload manually independent of the module, it was detected by both ESET and MS Security Essentials, however when I loaded the bypassuac module and let it work it's magic, nothing was detected. Weird. As Digip pointed out, when using the bypassuac module it writes to memory instead of the hard drive. That's why the payload never gets detected by the AV. The moment you upload to a working directory on the hard drive, the AV will instantly detect it. As most av will only do real time hard drive scanning and NOT memory scanning. Quote Link to comment Share on other sites More sharing options...
digip Posted February 15, 2012 Share Posted February 15, 2012 SET payloads mostly run in memory for that reason, as do a lot of metasploit payloads these days. He also has tools for elevating privileges so you could pretty much turn everything off if you are system. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.