Demonstration of Windows XP Privilege Escalation Exploit

Similar documents
Mapping ITS s File Server Folder to Mosaic Windows to Publish a Website

Using Internet or Windows Explorer to Upload Your Site

Configure and enable remote access for windows operating system

Running 4D Server as a Service on Windows

Event Based Interface

IS L06 Protect Servers and Defend Against APTs with Symantec Critical System Protection

Windows Server Password Recovery Techniques Courtesy of Daniel Petri

Setup Corporate (Microsoft Exchange) . This tutorial will walk you through the steps of setting up your corporate account.

How to Setup and Connect to an FTP Server Using FileZilla. Part I: Setting up the server

Livezilla How to Install on Shared Hosting By: Jon Manning

VPS Remote Computing. Connecting to a Windows Server for the first time. 1 Your Server has been installed. 2 Finding the login details for your Server

Mapping the ITS File Server Folders to Mosaic Windows

How to Install Applications (APK Files) on Your Android Phone

MOODLE Installation on Windows Platform

Easy Setup Guide for the Sony Network Camera

Scan to SMB(PC) Set up Guide

Server & Workstation Installation of Client Profiles for Windows

Implementing Microsoft SQL Server 2008 Exercise Guide. Database by Design

Hosting Users Guide 2011

TECHNICAL NOTE. The following information is provided as a service to our users, customers, and distributors.

Group Policy Objects: What are They and How Can They Help Your Firm?

College of Marin Accounts Fall marin.edu Access,

Remote Desktop Administration

Mac OS X. A Brief Introduction for New Radiance Users. Andrew McNeil & Giulio Antonutto

Made Easy Windows Sync App Tutorial

User guide. Business

How to configure the DBxtra Report Web Service on IIS (Internet Information Server)

Getting Started with Dynamic Web Sites

How to use FTP Commander

XStream Remote Control: Configuring DCOM Connectivity

PeopleSoft Application Designer Installation Documentation

IIS, FTP Server and Windows

Remote Desktop Connection (Windows XP) -A tutorial for UH College of Education faculty and staff - Setting up Remote Access on my Work Computer

Connecting to Remote Desktop Windows Users

Using Remote Web Workplace Version 1.01

Cloudfinder for Office 365 User Guide. November 2013

Campus VPN. Version 1.0 September 22, 2008

CONNECT-TO-CHOP USER GUIDE

Virtual CD v10. Network Management Server Manual. H+H Software GmbH

INSTALLATION GUIDE V2.1 (DRAFT)

CONFIGURING IIS WEB APPLICATIONS FOR USE WITH TIME MACHINE

Virtual Office Remote Installation Guide

Welcome to the QuickStart Guide

SSL VPN Support Guide

SECURE MOBILE ACCESS MODULE USER GUIDE EFT 2013

Wireless Printing Guide

Troubleshooting Guide

AdminToys Suite. Installation & Setup Guide

1. Scope of Service. 1.1 About Boxcryptor Classic

How to install and use the File Sharing Outlook Plugin

How to Remotely View Security Cameras Using the Internet

How To Install Database Oasis On A Computer Or Computer (For Free)

Configuring.NET based Applications in Internet Information Server to use Virtual Clocks from Time Machine

STATISTICA VERSION 10 STATISTICA ENTERPRISE SERVER INSTALLATION INSTRUCTIONS

Redirect Printer Port to LPT3 for Printing to Local Printer in Remote Desktop Session

Using. Microsoft Virtual PC. Page 1

Yale Software Library

Parallels. for your Linux or Windows Server. Small Business Panel. Getting Started Guide. Parallels Small Business Panel // Linux & Windows Server

Common SofTest Troubleshooting Techniques

How to Remotely Access Hikvision Devices User Manual

Microsoft Office via Office 365 Subscription Download/Install Instructions and Frequently Asked Questions

Setting up FileMaker 10 Server

Deposit Direct. Getting Started Guide

Guide to deploy MyUSBOnly via Windows Logon Script Revision 1.1. Menu

Upgrading MySQL from 32-bit to 64-bit

Downloading, Installing, and Updating Sophos Anti-Virus

Chapter 28: Expanding Web Studio

Quick Start Articles provide fast answers to frequently asked questions. Quick Start Article

Nobeltec TZ: Microsoft SQL Server problems

Introduction Requesting a VPN Account Accessing the Citrix Access Gateway (CAG) Tips and Tricks... 9

Wavelink Client License Server Version 4.0 Reference Guide

Montefiore Portal Quick Reference Guide

Sentral servers provide a wide range of services to school networks.

The SyncBack Management System

SETTING UP REMOTE ACCESS ON EYEMAX PC BASED DVR.

Using Virtual Machines

Portal Instructions for Mac

Universal Management Service 2015

Parallels Transporter Agent

Acronis Backup & Recovery 10 Advanced Server Virtual Edition. Quick Start Guide

Set Up Your . HTC Touch Pro.

Important Notes for WinConnect Server VS Software Installation:

Creating and Managing Shared Folders

GIGATRAK CLIENT INSTALL HANDHELD TERMINAL

Terminal Server Guide

OPC Server Machine Configuration

Enterprise Asset Management System

Type Message Description Probable Cause Suggested Action. Fan in the system is not functioning or room temperature

WestermoConnect User Guide. VPNeFree Service

Network Edition Download / Installation Instructions

Recommended File System Ownership and Privileges

HOW TO CONNECT TO FTP.TARGETANALYSIS.COM USING FILEZILLA. Installation

How. to: Connect Remotely. Updated by

5. At the Windows Component panel, select the Internet Information Services (IIS) checkbox, and then hit Next.

Parallels Plesk Panel 11 for your Windows Server

Using Remote Desktop to access your Office Computer or Faculty Remote Desktop Server August, 2005 This document consists of two main parts and an

Transcription:

Demonstration of Windows XP Privilege Escalation Exploit This article is a tutorial on how to trick Windows XP into giving you system privileges. Using simple command line tools on a machine running Windows XP, we will obtain system level privileges. The system run level is higher than administrator, and has full control of the operating system and it s kernel. On many machines this can be exploited even with the guest account. This system account allows for several other things that aren t normally possible (like resetting the administrator password). The Local System account is used by the Windows OS to control various aspects of the system (kernel, services, etc); the account shows up as SYSTEM in the Task Manager process list, as seen in the following screen shot: Local System differs from an Administrator account in that it has full control of the operating system, similar to root on a *nix machine. Most System processes are required by the operating system, and cannot be closed, even by an Administrator account; attempting to close them will result in a error message. The following quote from Wikipedia explains this in a easy to understand way: Quote: In Windows NT and later systems derived from it (Windows 2000, Windows XP, Windows Server 2003 and Windows Vista), there may or may not be a superuser. By default, there is a superuser named Administrator, although it is not an exact analogue of the Unix root superuser account. Administrator does not have all the privileges of root because some superuser privileges are assigned to the Local System account in Windows NT. Under normal circumstances, a user cannot run code as System, only the operating system itself has this ability, but by using the command line, we will trick Windows into running our desktop as System, along with all applications that are started from within. Procedure to get system level access and privilege escalation in windows I will now walk you through the process of obtaining SYSTEM privileges and a demonstration of this Windows XP admin exploit / super user hack To start, lets open up a command prompt (Start > Run > cmd > [ENTER]). At the prompt, enter the following command, then press [ENTER]: at If it responds with an access denied error, then we are out of luck, and you ll have to try another method of privilege escalation; if it responds with There are no entries in the list (or sometimes with multiple entries already in the list) then we are good. Access to

the at command varies, on some installations of Windows, even the Guest account can access it, on others it s limited to Administrator accounts. If you can use the at command, enter the following commands, then press [ENTER]: at 21:01 /interactive cmd.exe Lets break down the preceding code. The at told the machine to run the at command, everything after that are the operators for the command, the important thing here, is to change the time (24 hour format) to one minute after the time currently set on your computers clock, for example: If your computer s clock says it s 4:30pm, convert this to 24 hour format (16:30) then use 16:31 as the time in the command. If you issue the at command again with no operators, then you should see something similar to this: When the system clock reaches the time you set, then a new command prompt will magically run. The difference is that this one is running with system privileges (because it was started by the task scheduler service, which runs under the Local System account). It should look like

this: You ll notice that the title bar has changed from cmd.exe to svchost.exe (which is short for Service Host). Now that we have our system command prompt, you may close the old one. Run Task Manager by either pressing CTRL+ALT+DELETE or typing taskmgr at the command prompt. In task manager, go to the processes tab, and kill explorer.exe; your desktop and all open folders should disappear, but the system command prompt should still be there. At the system command prompt, enter in the following: explorer.exe A desktop will come back up, but what this? It isn t your desktop. Go to the start menu and look at the user name, it should say SYSTEM. Also open up task manager again, and you ll notice that explorer.exe is now running as SYSTEM. The easiest way to get back into your own desktop, is to log out and then log back in.

Now that we have SYSTEM access, everything that we run from our explorer process will have it too, browsers, games, etc. You also have the ability to reset the administrator s password, and kill other processes owned by SYSTEM. You can do anything on the machine, the equivalent of root; you are now God of the Windows machine. I ll leave the rest up to your imagination.

Resetting Administrator s password

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information