Pages

Haking "admin" from "user" mode n more







Quote







Haking

"admin" from "user" mode n more











You can trick the system into
running a program, script, or batch file with system level privileges.





One sample



One trick is to use a vulnerability in Windows long filename support.

Try placing an executable named Program.*, in the root directory of the
"Windows" drive. Then reboot. The system may run the Program.*, with system
level privileges. So long as one of the applications in the "Program Files"
directory is a startup app. The call to "Program Files", will be intercepted by
Program.*.




Microsoft eventually caught on to that trick. Now days, more and more, of the
startup applications are being coded to use limited privileges.




 





Quote:



In Windows NT and later systems derived from it
(Windows 2000, Windows XP, Windows Server 2003 and Windows Vista), there may or
may not be a superuser. By default, there is a superuser named Administrator,
although it is not an exact analogue of the Unix root superuser account.
Administrator does not have all the privileges of root because some superuser
privileges are assigned to the Local System account in Windows NT.





Under normal circumstances, a user cannot run code as System, only the operating
system itself has this ability, but by using the command line, we will trick
Windows into running our desktop as System, along with all applications that are
started from within.

Getting SYSTEM


I will now walk you through the process of obtaining SYSTEM privileges.

To start, lets open up a command prompt (Start > Run > cmd > [ENTER]).

At the prompt, enter the following command, then press [ENTER]:



Code:




at



If it responds with an “access denied” error, then we are out of luck, and
you’ll have to try another method of privilege escalation; if it responds with
“There are no entries in the list” (or sometimes with multiple entries already
in the list) then we are good. Access to the at command varies, on some
installations of Windows, even the Guest account can access it, on others it’s
limited to Administrator accounts. If you can use the at command, enter the
following commands, then press [ENTER]:



Code:



at 15:25 /interactive
“cmd.exe”



Lets break down the preceding code. The “at” told the machine to run the at
command, everything after that are the operators for the command, the important
thing here, is to change the time (24 hour format) to one minute after the time
currently set on your computers clock, for example: If your computer’s clock
says it’s 4:30pm, convert this to 24 hour format (16:30) then use 16:31 as the
time in the command. If you issue the at command again with no operators, then
you should see something similar to this:



When the system clock reaches the time you set, then a new command prompt will
magically run. The difference is that this one is running with system privileges
(because it was started by the task scheduler service, which runs under the
Local System account). It should look like this:




You’ll notice that the title bar has changed from cmd.exe to svchost.exe (which
is short for Service Host). Now that we have our system command prompt, you may
close the old one. Run Task Manager by either pressing CTRL+ALT+DELETE or typing
taskmgr at the command prompt. In task manager, go to the processes tab, and
kill explorer.exe; your desktop and all open folders should disappear, but the
system command prompt should still be there.

At the system command prompt, enter in the following:



Code:



explorer.exe




A desktop will come back up, but what this? It isn’t your desktop. Go to the
start menu and look at the user name, it should say “SYSTEM”. Also open up task
manager again, and you’ll notice that explorer.exe is now running as SYSTEM. The
easiest way to get back into your own desktop, is to log out and then log back
in. The following 2 screenshots show my results (click to zoom):



System user name on start menu






explorer.exe running under SYSTEM




What to do now

Now that we have SYSTEM access, everything that we run from our explorer process
will have it too, browsers, games, etc. You also have the ability to reset the
administrators password, and kill other processes owned by SYSTEM. You can do
anything on the machine, the equivalent of root; You are now God of the Windows
machine. I’ll leave the rest up to your imagination.











ADMINISTRATOR IN WELCOME SCREEN.




When you install Windows XP an Administrator Account is created (you are asked
to supply an administrator password), but the "Welcome Screen" does not give you
the option to log on as Administrator unless you boot up in Safe Mode.





First you must ensure that the Administrator Account is enabled:

1.


open Control Panel


2.


open Administrative Tools

3.

open Local Security Policy

4.


expand Local Policies


5.
click on Security Options

6.

ensure that Accounts: Administrator account status is enabled Then follow the
instructions from the "Win2000 Logon Screen Tweak" ie.

1.


open Control Panel


2.
open User Accounts

3.


click Change the way users log on or log off

4.


untick Use the Welcome Screen

5.

click Apply Options

You will now be able to log on to Windows XP as Administrator in Normal Mode.



 




EASY WAY TO ADD THE ADMINISTRATOR USER TO THE WELCOME SCREEN.!!



Start the Registry Editor Go to:


HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \
Winlogon \ SpecialAccounts \ UserList \


Right-click an empty space in the right pane and select



New > DWORD Value

Name the new value Administrator. Double-click this new value, and enter


1

as it's Value data. Close the registry editor and restart.