Jump to content

How to escalate permission on Windows XP?


USBHacker

Recommended Posts

Hello!

I'm interested in escalating permissions on a windows XP Pro computer.

It is an account which is connected to a domain.

I have access to command prompt.

I have access to all files (I believe) on my local drive (C:, including C:\WINDOWS). But I don't think I can delete anything.

I tried removing restrictive policies using Dial-A-Fix, didn't work.

Tried using Regedit, didn't work.

Tried the command line registry editor... also didn't work.

I have been able to create an Administrator account on the computer in question.

Though when I got to control userpasswords2, my roaming account isn't listed there.

Please give me suggestions on how to elevate my permissions.

Thanks in advance,

Tortilla

Link to comment
Share on other sites

There might be - however when you logon to the domain, the DC generates a SID, this SID is used to check what permissions you have - mainly to network resources, then a Group Policy is applied to your system, the policy will remove the run command etc

Personally I'd leave the system alone - if you don't have these permissions then you probally don't have them for a reason.

Link to comment
Share on other sites

  • 4 weeks later...
So there aren't any tricks out there that could elevate my permissions?

To at least have my Run button and ability to install Drivers/Programs?

Please reply

Thanks in advance

USBHacker

Might want to be careful doing this on your work computer. Your admin(s), if they are worth anything, will know youve been mucking around which would be grounds for termination and or criminal charges. I would suggest you either ask to have the programs installed or try to make friends with the admins, they may give you local power user rights.

You might want to ask yourself "is my job worth it". Unfortunately for many people in my company im the anal retentive asshole called the “security and compliance officer”. I spend my days looking for employees like you, building a case and pursuing criminal charges. I’m not trying to sound like a dick, just trying to give you fair warning. It's far better to get the rights in a legit manner.

Link to comment
Share on other sites

Might want to be careful doing this on your work computer. Your admin(s), if they are worth anything, will know youve been mucking around which would be grounds for termination and or criminal charges. I would suggest you either ask to have the programs installed or try to make friends with the admins, they may give you local power user rights.

You might want to ask yourself "is my job worth it". Unfortunately for many people in my company im the anal retentive asshole called the “security and compliance officer”. I spend my days looking for employees like you, building a case and pursuing criminal charges. I’m not trying to sound like a dick, just trying to give you fair warning. It's far better to get the rights in a legit manner.

Hmm, you bring up an interesting point.

Though I could always use the 'more than guest' account. Everyone knows the username, and everyone knows the password! And at first glance it looks exactly the same as a normal account. I think you can even access the same shares as the average user! :lol:

So if I was going to be doing any account escalation, I would use the 'more than guest' account.

Now, if you please, I am interested in how this could be done (and of course, how to do it!). As by learning to do it myself, I'll have more knowledge of what people use on there computers to escalate permissions, and I'll have more of an idea how to stop it happening. Or even if I can't stop it, it will still be very useful knowledge to have.

I am training to be a network administrator... but I don't think I will continue in that job... I hope to become a White Hat Hacker with a CCNA.

So please help me work out how to escalate my permissions.

Thanks in advance,

USBHacker

Link to comment
Share on other sites

As stated I don't belive it can be done (at least it out of my league [MSP certified]). Someone has suggested some Google keywords so go from there, otherwise move on, you don't seem to be getting many bites on this one and it's not hard to see why.

Link to comment
Share on other sites

Hmm, you bring up an interesting point.

Though I could always use the 'more than guest' account. Everyone knows the username, and everyone knows the password! And at first glance it looks exactly the same as a normal account. I think you can even access the same shares as the average user! :lol:

So if I was going to be doing any account escalation, I would use the 'more than guest' account.

Now, if you please, I am interested in how this could be done (and of course, how to do it!). As by learning to do it myself, I'll have more knowledge of what people use on there computers to escalate permissions, and I'll have more of an idea how to stop it happening. Or even if I can't stop it, it will still be very useful knowledge to have.

I am training to be a network administrator... but I don't think I will continue in that job... I hope to become a White Hat Hacker with a CCNA.

So please help me work out how to escalate my permissions.

Thanks in advance,

USBHacker

look kid, dont matter what you do on the local side, you are in an AD environment. The only way to priv esc is to do so on the DC or use another set of cradentials for authentication.

good luck collecting unemployment when you get fired, or even worse put in jail for screwing with your company's infrastructure.

Link to comment
Share on other sites

Change the local admin password with something like Hirens or ERD commander. While you won't be able to use this account to authenticate on the network you will be able to run stuff as an admin on that one machine. I've been forced to do this by stupidly restrictive group polices preventing me from doing my job (I worked in a place that banned FTP clients as a security risk even though I was doing technical support for FTP servers as part of my job). When this was discovered I managed to avoid being fired only because the sys-admins actually agreed that IE6 was not an FTP client and that was the only thing I'd actually changed.

Now that I am a sysadmin, I have to admit that I have threatened a person with a trip to HR for doing exactly the same thing.

Link to comment
Share on other sites

  • 2 weeks later...

If I was to try this I would first take the computer off the network. Then for simplicity use bartpe or similar to change permissions. Install what you have to and change permissions back before putting the computer back on the network. Remember anything you install can be used against you, especially considering the means you'd have to use.

Link to comment
Share on other sites

  • 1 month later...

Hmm

Thanks

I suppose you are talking about registry keys, correct?

Well then, if I needed to change registry keys, I would need to change them remotely (on the domain controller).

If that is possible, please tell me how I can do it!

Thanks in advance,

USBHacker

Link to comment
Share on other sites

k so if you wanna elevate yourself to SYSTEM priv. use the at command from the command line.

so open a command prompt. at the command prompt type at then hit enter. this may or may not work depending on the windows installation. if youre able to use the at command then go ahead and type

at xx:xx /interactive “cmd.exe” (the xx:xx symbolizes the time. you need to pick a time in the future usually 1-2 min should be fine in military time. after it reaches the time you set then a new cmd window should automatically open except this one will have system privileges. now kill explorer.exe from the task manager, then you should be able to restart explorer with the system cmd shell by typing explorer.exe and voila. you are now system priv and shouldnt be denied access to any files folders etc etc. hope that makes sense

Link to comment
Share on other sites

Hmm

Thanks

I suppose you are talking about registry keys, correct?

Well then, if I needed to change registry keys, I would need to change them remotely (on the domain controller).

If that is possible, please tell me how I can do it!

Thanks in advance,

USBHacker

No, he is talking about using a live CD and altering the local permissions. If I were you USB, I wouldn't pursue this any further, but if you must, make yourself a copy of UBCD4WIN, boot your computer up to it and create an alternative administrator account using Sala Password Renew which is a part of UBCD4WIN.

I would update my resume first though before trying anything though...

Link to comment
Share on other sites

k so if you wanna elevate yourself to SYSTEM priv. use the at command from the command line.

so open a command prompt. at the command prompt type at then hit enter. this may or may not work depending on the windows installation. if youre able to use the at command then go ahead and type

at xx:xx /interactive “cmd.exe” (the xx:xx symbolizes the time. you need to pick a time in the future usually 1-2 min should be fine in military time. after it reaches the time you set then a new cmd window should automatically open except this one will have system privileges. now kill explorer.exe from the task manager, then you should be able to restart explorer with the system cmd shell by typing explorer.exe and voila. you are now system priv and shouldnt be denied access to any files folders etc etc. hope that makes sense

Hmm... thanks. I'll give that a go.

No, he is talking about using a live CD and altering the local permissions. If I were you USB, I wouldn't pursue this any further, but if you must, make yourself a copy of UBCD4WIN, boot your computer up to it and create an alternative administrator account using Sala Password Renew which is a part of UBCD4WIN.

I would update my resume first though before trying anything though...

I've already tried a similar program (NT Password Renew). But it only make a local admin, what I need is a DOMAIN admin.

Please tell me how to create one remotely...

Thanks in advance,

USBHacker

Link to comment
Share on other sites

USBHacker, maybe you should contact one of the admins and ask them if its possible to change your forum name. Just remove the word Hacker for the time being and stop trying to live up to that name for a while. It doesn't seem to reflect who you are in ANY way shape of form. I don't mean that to be disrespectful, its just such an obvious observation from all your posts that you don't seem to know anything and the questions you ask can all be answered by READING some stuff on google. You have been told a number of times to do some research on these things, but I guess you would rather have everything handed to you on a silver platter. It doesn't work that way.

Yes, people here have helped a lot of other people with their questions, but even when given the answer at times, you still fail to be able to get it to work....Please, for the love of all things geek, start reading up on the things you are trying to learn about. Take some initiative and put in the hours it takes to learn something. Hacking is like 90% self education and 10% getting help when you are stuck. Not 100% mooching off of everyone else doing the work for you.

Please take this as some constructive criticism and use it to motivate yourself to start reading. Almost every question you have ever asked on the forums can be found in literature on the web or in books. Start concentrating on your google-fu and you will find yourself learning in in more detail much faster than asking people for the quick fix which doesn't explain the who, what, when, where, or why it works in such a way.

Link to comment
Share on other sites

i personally dont mind helping anyone. it dosnt bother me to walk someone through something step b step. maybe sometimes its easier to understand comming from someone who has been in the same position and knows how to explain it in a way that will make sense. alot of tutorials you come accross on google dont do that. but yes i do agree that you should do some info searching on your own, but t i dont think its unreasonable to have 50% handed to you and 50% self taught. i personally wouldnt turn someone away with a question but if they keep comming back asking the same shit over and over again it gets frustrating. usually most people just want to see what other peoples experiances have been in a simmilar situation, and i think thats why topics like this get started.

Link to comment
Share on other sites

i personally wouldnt turn someone away with a question but if they keep comming back asking the same shit over and over again it gets frustrating.

This is where I agree with you 100% and its also why I posted what I said...

Almost every post or thread he makes ends in

can you please tell me how, and/or give me the files?
Link to comment
Share on other sites

Might already been brought up, was quickly reading through the thread.

Just flash the admin password or even easier, just bring a copy of Ophcrack from home or.. just bring Cain and Abel on a flashdrive :)

GLHF.

Link to comment
Share on other sites

You don't necessarily have to hack a DC but that can work too. No one asked you what type of services, apps, OS version, open ports, etc that exist on the DC and on your workstation. Also do you have access to debugging, compilers, etc. Hell I have shell code that fits in to 37 bytes. If nothing else you could probably sniff enough info on the wire to get you in eventually. What other platforms if any are authenticating on the domain. Details man, details. Not every hack has a script kiddie solution but everything can be hacked......eventually.

Tell me what you have on the DC and I may be able to give you some options.

I do however agree that these guys are right and its probably not worth risking your job over. Do you just want to install drivers or somthin simple or do you need particular access to services and files that require a higher token ? Drivers can be installed if you just disco from the network and use the local admin account.

k3nNyG

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...