Gain SYSTEM/Administrative Access to Windows XP/2000 Options

[SomethingToChatW...]

Offline you basically have complete control. The methods in this thread are attempts at online permission escalation.
Yes, barpe + any password tool that can edit an offline sam database well work...

[Iain]

Offline you basically have complete control. The methods in this thread are attempts at online permission escalation.
Yes, barpe + any password tool that can edit an offline sam database well work...

So, if I run Bart's PE as a live CD, I can add a new account to the local machine and it will show up when rebooted? I've tried the <net user Name /add> trick then added Name to the Administrators localgroup by using a Windows PE live disk and, whilst it says "Task completed successfully" (or similar), the new account isn't there when I booted into Windows.

Can I create a service on the local PC using Bart's PE? Again, I've tried with Windows PE and it failed.

[SomethingToChatW...]

You haft to use a special program that can perform operations on an offline sam file. Using net from the command line won't work because you're operating on the temp. sam file for that instance of PE.

[Joerg]

1. What's the reason for adding the new account to the SpecialAccounts\UserList? I realise that these accounts are built in automatically and aren't ordinary user accounts.
2. Is it possible to add a user whilst offline - for instance using Bart's PE or Windows PE live CD?
3. Is it possible to create a service (again, whilst offline) which runs as System and is running at the time that the logon screen appears?

1. This is done to hide the account on the welcome screen on an ordinary windows xp/vista installation
2. I guess so, but I never did that.
3. see 2.

[SomethingToChatW...]

1. This is done to hide the account on the welcome screen on an ordinary windows xp/vista installation

You can also get it not to display on the welcome screen by simply making sure the accounts not in the users group. It won't show though it belongs to the administrators group as long as this is so

[Iain]

You haft to use a special program that can perform operations on an offline sam file. Using net from the command line won't work because you're operating on the temp. sam file for that instance of PE.

But I didn't use net.exe from the CD (the "installation" in RAM is designated automatically to x:, i.e. x:\windows\system32\net.exe). I navigated to net.exe on my XPP installation, i.e. c:\windows\system32\net.exe. I thought that, if I navigated to the installed net.exe, it would add the user as I had wanted. I'm interested to know WHY it didn't. Can anyone shed any light on this please?

Do you have any recommendations about an offline SAM manipulation utility? I'll look into it myself but am interested to have any recommendations.

1. This is done to hide the account on the welcome screen on an ordinary windows xp/vista installation
2. I guess so, but I never did that.
3. see 2.

OK - thank you.

[SomethingToChatW...]

Even using net.exe from the proper location won't work. Remeber, its operating on the local environment, not the offline sam file. Keyword here: offline. Net operates on online sam files.

Tools? Plenty though I'm not going to start mentioning them. Just get barpe/ubcd4win and you're set...

[c0nv1ct]

I used to do something similair to this, except with a dos floppy or linux usb key or what have you, replace Utilman.exe with command prompt. Tested and working on Windows Vista. Command runs under system too so you can do whatever you want.

[haxwithaxe]

I have a workaround for admin rights.
<not mine src="can't remember">
1) find a service that doesn't use quotes in the executable reference and has user writeable directories with a space in the name.
eg C:\Program Files\Dumb Admin Installed Stuff\srvc.exe (program files dir not writable usually but i'm lazy)
2) insert an exe that creates an admin account into C:\Program Files\Dumb.exe
3) reboot
windows handles unquoted spaces by checking for C:\Program >C:\Program Files\Dumb > C:\Program Files\Dumb Admin >C:\Program Files\Dumb Admin Installed >C:\Program Files\Dumb Admin Installed Stuff\srvc.exe
after the file is inserted it will be executed in place of the service when windows looks for C:\Program Files\Dumb
</not mine>

Also, does anyone know of a way to make the user created by "net user" not have a profile path.
My current workaround for this is to make the profile path a hidden & system file, but clean up when i'm done via a autoit script (eventually an exe) that removes all obvious traces of the user and the script/exe fails 'cause the user is still using it and it would be best anyways to not have it there at all in the first place 'cause that's just more footprints for people to find.
Thanks.

hax

[BrandonND]

I wont give away the full details lol, but you could very easily make an auto deploying boot disk so that on next reboot you have 100% control of the system.
Assuming you have even a little coding experience at least
Mine takes about 30 seconds to boot + deploy. With no user input

Ill give you a rundown in english and tell you that I based my boot disk off of a linux live cd.

1) you put in disk and boot up.
2) boot p script loads the very core of a linux distrobution and deploys an executable into the windows folder. It also edits a reg key to make it boot up before user permissions are established. (bash and c++ )
3) On next boot a series of things happen, the program deletes the reg key and makes a ifferent one with the same exploit Confiker uses to make a SYSTEM only reg key. It then gains SYSTEM level access via an exploit in all windows platforms, that is as of yet unpatched. (c++)
4) SO right now we have two things, a reg key and a file, both undeletable by noormal means. The file copies itself deeper into the Windows Tree. Then starts its main code which can be customized completely. ( c++ )

This entire time its acted normally and because it is a legitimatly named program ( I named it like 1 letter off a real MS program lol.) noone will delete it.

[haxwithaxe]

I just had a thought. could one put an app vulnerable to a stack overflow on a usb and exploit it on the system one wants to get admin/system on?

EDIT: Never mind. I just learned a little more about buffer overflows and it looks like that won't work. It would be nice to be able to debug the whole os, or at least the parts that would be hard for MS to patch, and find every segfault to check for buffer overflow exploitability.

[Myk3]

Shouldn't this thread be dead now that Kon-boot is out? Or is the purpose of this to create a new admin account.

[SomethingToChatW...]

Yeah, but its interesting to see what people come up with.

[haxwithaxe]

Shouldn't this thread be dead now that Kon-boot is out? Or is the purpose of this to create a new admin account.

The idea is to do it without rebooting. In session priv escalation is the goal here.

[brplatz]

I know this is my first post and possible flame for brining up an old topic, but I had an idea.

Take a look at this guys code, http://www.rohitab.com/discuss/index.php?s...mread&st=40,

Seems he is able to get the Hashes without admin, but i could be wrong,

Anyway,
Brian

[catchyanow]

If you can't be bothered doing all of this coding just re-boot and get into Safe Mode. All admin accounts there. No password. No anti-virus. Plug in your USB Drive. Copy files. Do whatever. Away you go

This is not as fun though