USBHacker Posted July 28, 2008 Share Posted July 28, 2008 Hello! I'm interested in escalating permissions on a windows XP Pro computer. It is an account which is connected to a domain. I have access to command prompt. I have access to all files (I believe) on my local drive (C:, including C:\WINDOWS). But I don't think I can delete anything. I tried removing restrictive policies using Dial-A-Fix, didn't work. Tried using Regedit, didn't work. Tried the command line registry editor... also didn't work. I have been able to create an Administrator account on the computer in question. Though when I got to control userpasswords2, my roaming account isn't listed there. Please give me suggestions on how to elevate my permissions. Thanks in advance, Tortilla Quote Link to comment Share on other sites More sharing options...
MRGRIM Posted July 28, 2008 Share Posted July 28, 2008 Ask you domain admin. Domain permissions are controlled by the domain controller, all you would be able to do is give yourself local administrator permissions (which it sounds like you've done already) Quote Link to comment Share on other sites More sharing options...
USBHacker Posted July 30, 2008 Author Share Posted July 30, 2008 So there aren't any tricks out there that could elevate my permissions? To at least have my Run button and ability to install Drivers/Programs? Please reply Thanks in advance USBHacker Quote Link to comment Share on other sites More sharing options...
MRGRIM Posted July 30, 2008 Share Posted July 30, 2008 There might be - however when you logon to the domain, the DC generates a SID, this SID is used to check what permissions you have - mainly to network resources, then a Group Policy is applied to your system, the policy will remove the run command etc Personally I'd leave the system alone - if you don't have these permissions then you probally don't have them for a reason. Quote Link to comment Share on other sites More sharing options...
USBHacker Posted July 31, 2008 Author Share Posted July 31, 2008 So I can't add these priveliges back each time I login? Quote Link to comment Share on other sites More sharing options...
K1u Posted July 31, 2008 Share Posted July 31, 2008 Look up a public exploit for priv esca. Quote Link to comment Share on other sites More sharing options...
USBHacker Posted August 24, 2008 Author Share Posted August 24, 2008 Okay, thanks. BTW: Still waiting for suggestions! Quote Link to comment Share on other sites More sharing options...
ret Posted August 24, 2008 Share Posted August 24, 2008 So there aren't any tricks out there that could elevate my permissions? To at least have my Run button and ability to install Drivers/Programs? Please reply Thanks in advance USBHacker Might want to be careful doing this on your work computer. Your admin(s), if they are worth anything, will know youve been mucking around which would be grounds for termination and or criminal charges. I would suggest you either ask to have the programs installed or try to make friends with the admins, they may give you local power user rights. You might want to ask yourself "is my job worth it". Unfortunately for many people in my company im the anal retentive asshole called the “security and compliance officer”. I spend my days looking for employees like you, building a case and pursuing criminal charges. I’m not trying to sound like a dick, just trying to give you fair warning. It's far better to get the rights in a legit manner. Quote Link to comment Share on other sites More sharing options...
USBHacker Posted August 27, 2008 Author Share Posted August 27, 2008 Might want to be careful doing this on your work computer. Your admin(s), if they are worth anything, will know youve been mucking around which would be grounds for termination and or criminal charges. I would suggest you either ask to have the programs installed or try to make friends with the admins, they may give you local power user rights. You might want to ask yourself "is my job worth it". Unfortunately for many people in my company im the anal retentive asshole called the “security and compliance officer”. I spend my days looking for employees like you, building a case and pursuing criminal charges. I’m not trying to sound like a dick, just trying to give you fair warning. It's far better to get the rights in a legit manner. Hmm, you bring up an interesting point. Though I could always use the 'more than guest' account. Everyone knows the username, and everyone knows the password! And at first glance it looks exactly the same as a normal account. I think you can even access the same shares as the average user! So if I was going to be doing any account escalation, I would use the 'more than guest' account. Now, if you please, I am interested in how this could be done (and of course, how to do it!). As by learning to do it myself, I'll have more knowledge of what people use on there computers to escalate permissions, and I'll have more of an idea how to stop it happening. Or even if I can't stop it, it will still be very useful knowledge to have. I am training to be a network administrator... but I don't think I will continue in that job... I hope to become a White Hat Hacker with a CCNA. So please help me work out how to escalate my permissions. Thanks in advance, USBHacker Quote Link to comment Share on other sites More sharing options...
MRGRIM Posted August 27, 2008 Share Posted August 27, 2008 As stated I don't belive it can be done (at least it out of my league [MSP certified]). Someone has suggested some Google keywords so go from there, otherwise move on, you don't seem to be getting many bites on this one and it's not hard to see why. Quote Link to comment Share on other sites More sharing options...
ret Posted August 27, 2008 Share Posted August 27, 2008 Hmm, you bring up an interesting point. Though I could always use the 'more than guest' account. Everyone knows the username, and everyone knows the password! And at first glance it looks exactly the same as a normal account. I think you can even access the same shares as the average user! So if I was going to be doing any account escalation, I would use the 'more than guest' account. Now, if you please, I am interested in how this could be done (and of course, how to do it!). As by learning to do it myself, I'll have more knowledge of what people use on there computers to escalate permissions, and I'll have more of an idea how to stop it happening. Or even if I can't stop it, it will still be very useful knowledge to have. I am training to be a network administrator... but I don't think I will continue in that job... I hope to become a White Hat Hacker with a CCNA. So please help me work out how to escalate my permissions. Thanks in advance, USBHacker look kid, dont matter what you do on the local side, you are in an AD environment. The only way to priv esc is to do so on the DC or use another set of cradentials for authentication. good luck collecting unemployment when you get fired, or even worse put in jail for screwing with your company's infrastructure. Quote Link to comment Share on other sites More sharing options...
VaKo Posted August 27, 2008 Share Posted August 27, 2008 Change the local admin password with something like Hirens or ERD commander. While you won't be able to use this account to authenticate on the network you will be able to run stuff as an admin on that one machine. I've been forced to do this by stupidly restrictive group polices preventing me from doing my job (I worked in a place that banned FTP clients as a security risk even though I was doing technical support for FTP servers as part of my job). When this was discovered I managed to avoid being fired only because the sys-admins actually agreed that IE6 was not an FTP client and that was the only thing I'd actually changed. Now that I am a sysadmin, I have to admit that I have threatened a person with a trip to HR for doing exactly the same thing. Quote Link to comment Share on other sites More sharing options...
USBHacker Posted August 29, 2008 Author Share Posted August 29, 2008 Hmm, well thanks for the info guys. Very useful! Quote Link to comment Share on other sites More sharing options...
filthmusic Posted September 8, 2008 Share Posted September 8, 2008 If I was to try this I would first take the computer off the network. Then for simplicity use bartpe or similar to change permissions. Install what you have to and change permissions back before putting the computer back on the network. Remember anything you install can be used against you, especially considering the means you'd have to use. Quote Link to comment Share on other sites More sharing options...
USBHacker Posted October 16, 2008 Author Share Posted October 16, 2008 Hmm Thanks I suppose you are talking about registry keys, correct? Well then, if I needed to change registry keys, I would need to change them remotely (on the domain controller). If that is possible, please tell me how I can do it! Thanks in advance, USBHacker Quote Link to comment Share on other sites More sharing options...
vector Posted October 17, 2008 Share Posted October 17, 2008 k so if you wanna elevate yourself to SYSTEM priv. use the at command from the command line. so open a command prompt. at the command prompt type at then hit enter. this may or may not work depending on the windows installation. if youre able to use the at command then go ahead and type at xx:xx /interactive “cmd.exe” (the xx:xx symbolizes the time. you need to pick a time in the future usually 1-2 min should be fine in military time. after it reaches the time you set then a new cmd window should automatically open except this one will have system privileges. now kill explorer.exe from the task manager, then you should be able to restart explorer with the system cmd shell by typing explorer.exe and voila. you are now system priv and shouldnt be denied access to any files folders etc etc. hope that makes sense Quote Link to comment Share on other sites More sharing options...
MRGRIM Posted October 17, 2008 Share Posted October 17, 2008 This thread makes me angry Then I giggle and think happy thoughts. Go plug your "claymore" into the DC see what happens... Quote Link to comment Share on other sites More sharing options...
El Di Pablo Posted October 17, 2008 Share Posted October 17, 2008 Hmm Thanks I suppose you are talking about registry keys, correct? Well then, if I needed to change registry keys, I would need to change them remotely (on the domain controller). If that is possible, please tell me how I can do it! Thanks in advance, USBHacker No, he is talking about using a live CD and altering the local permissions. If I were you USB, I wouldn't pursue this any further, but if you must, make yourself a copy of UBCD4WIN, boot your computer up to it and create an alternative administrator account using Sala Password Renew which is a part of UBCD4WIN. I would update my resume first though before trying anything though... Quote Link to comment Share on other sites More sharing options...
USBHacker Posted October 24, 2008 Author Share Posted October 24, 2008 k so if you wanna elevate yourself to SYSTEM priv. use the at command from the command line. so open a command prompt. at the command prompt type at then hit enter. this may or may not work depending on the windows installation. if youre able to use the at command then go ahead and type at xx:xx /interactive “cmd.exe” (the xx:xx symbolizes the time. you need to pick a time in the future usually 1-2 min should be fine in military time. after it reaches the time you set then a new cmd window should automatically open except this one will have system privileges. now kill explorer.exe from the task manager, then you should be able to restart explorer with the system cmd shell by typing explorer.exe and voila. you are now system priv and shouldnt be denied access to any files folders etc etc. hope that makes sense Hmm... thanks. I'll give that a go. No, he is talking about using a live CD and altering the local permissions. If I were you USB, I wouldn't pursue this any further, but if you must, make yourself a copy of UBCD4WIN, boot your computer up to it and create an alternative administrator account using Sala Password Renew which is a part of UBCD4WIN. I would update my resume first though before trying anything though... I've already tried a similar program (NT Password Renew). But it only make a local admin, what I need is a DOMAIN admin. Please tell me how to create one remotely... Thanks in advance, USBHacker Quote Link to comment Share on other sites More sharing options...
digip Posted October 24, 2008 Share Posted October 24, 2008 USBHacker, maybe you should contact one of the admins and ask them if its possible to change your forum name. Just remove the word Hacker for the time being and stop trying to live up to that name for a while. It doesn't seem to reflect who you are in ANY way shape of form. I don't mean that to be disrespectful, its just such an obvious observation from all your posts that you don't seem to know anything and the questions you ask can all be answered by READING some stuff on google. You have been told a number of times to do some research on these things, but I guess you would rather have everything handed to you on a silver platter. It doesn't work that way. Yes, people here have helped a lot of other people with their questions, but even when given the answer at times, you still fail to be able to get it to work....Please, for the love of all things geek, start reading up on the things you are trying to learn about. Take some initiative and put in the hours it takes to learn something. Hacking is like 90% self education and 10% getting help when you are stuck. Not 100% mooching off of everyone else doing the work for you. Please take this as some constructive criticism and use it to motivate yourself to start reading. Almost every question you have ever asked on the forums can be found in literature on the web or in books. Start concentrating on your google-fu and you will find yourself learning in in more detail much faster than asking people for the quick fix which doesn't explain the who, what, when, where, or why it works in such a way. Quote Link to comment Share on other sites More sharing options...
vector Posted October 24, 2008 Share Posted October 24, 2008 i personally dont mind helping anyone. it dosnt bother me to walk someone through something step b step. maybe sometimes its easier to understand comming from someone who has been in the same position and knows how to explain it in a way that will make sense. alot of tutorials you come accross on google dont do that. but yes i do agree that you should do some info searching on your own, but t i dont think its unreasonable to have 50% handed to you and 50% self taught. i personally wouldnt turn someone away with a question but if they keep comming back asking the same shit over and over again it gets frustrating. usually most people just want to see what other peoples experiances have been in a simmilar situation, and i think thats why topics like this get started. Quote Link to comment Share on other sites More sharing options...
digip Posted October 24, 2008 Share Posted October 24, 2008 i personally wouldnt turn someone away with a question but if they keep comming back asking the same shit over and over again it gets frustrating. This is where I agree with you 100% and its also why I posted what I said... Almost every post or thread he makes ends in can you please tell me how, and/or give me the files? Quote Link to comment Share on other sites More sharing options...
gEEEk Posted October 24, 2008 Share Posted October 24, 2008 Might already been brought up, was quickly reading through the thread. Just flash the admin password or even easier, just bring a copy of Ophcrack from home or.. just bring Cain and Abel on a flashdrive :) GLHF. Quote Link to comment Share on other sites More sharing options...
Crash0veride Posted October 25, 2008 Share Posted October 25, 2008 You don't necessarily have to hack a DC but that can work too. No one asked you what type of services, apps, OS version, open ports, etc that exist on the DC and on your workstation. Also do you have access to debugging, compilers, etc. Hell I have shell code that fits in to 37 bytes. If nothing else you could probably sniff enough info on the wire to get you in eventually. What other platforms if any are authenticating on the domain. Details man, details. Not every hack has a script kiddie solution but everything can be hacked......eventually. Tell me what you have on the DC and I may be able to give you some options. I do however agree that these guys are right and its probably not worth risking your job over. Do you just want to install drivers or somthin simple or do you need particular access to services and files that require a higher token ? Drivers can be installed if you just disco from the network and use the local admin account. k3nNyG Quote Link to comment Share on other sites More sharing options...
Crash0veride Posted October 25, 2008 Share Posted October 25, 2008 Might already been brought up, was quickly reading through the thread. Just flash the admin password or even easier, just bring a copy of Ophcrack from home or.. just bring Cain and Abel on a flashdrive :) GLHF. Backtrack would be more useful. He already has local admin....... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.