Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: priviledge escalation techniques

from [Eyal Udassin] Network Security [Permanent Link]
Subject: RE: priviledge escalation techniques
Date: Sat, 22 Jan 2005 10:20:47 +0200 
Hi,

The easiest way to perform privilege escalation on windows, whatever
version, is to list the executables in the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry
key. All of these executables are run under SYSTEM.

Once you get hold of that list, see if you have write permissions to replace
the original executable with your own. Don't forget to execute the original
from your code, or otherwise you may cause the system to become unstable.

I had a client which had such a key pointing to an old printer installation
utility which no longer existed, in an unprotected directory outside of
"program files". That was the beginning of the end of the pentest :-)

If all the files can't be overridden, try to boot with command line only and
replace them. Another approach is to remove the hard drive and perform the
switch on another computer, with the victim HD as a secondary drive.

Eyal Udassin - Swift Coders
POB 1596 Ramat Hasharon, 47114
972+547-684989
eyal@swiftcoders.com - www.swiftcoders.com

-----Original Message-----
From: Roy Stapleton [mailto:roy@stapleton.biz] 
Sent: Friday, January 21, 2005 2:47 AM
To: pen-test@securityfocus.com
Subject: RE: priviledge escalation techniques


I have tried the sethc.exe one, the 'at' command scheduler technique and the
'c:\program' technique.

The OS I used was windows XP pro sp2.  I logged in as a domain user with no
added rights, i.e. only local user access to the machine.

There is no write access in the c:\ or c:\windows\system32 folder, so the
sethc.exe technique fell at this hurdle, default rights on these folders are
users: read & execute and list (this folder, subfolders and files), create
folders (this folder and subfolders), create files (subfolders only).

For the same reasons, the c:\program exploit failed as well.

The domain user does not have the privilege to create schedules with the at
command, so this failed as well.

The problem seen below does exist on XP.  It may be (pardon the fuzziness
here) to do with caching load images of executable files and prefetch
stores.  If you look in the C:\WINDOWS\Prefetch directory you will see all
the recently loaded executable files stored in a prefetch format.

This may be why the original loaded when BSK tried the sethc.exe technique
in BSK's email.

For the below, I checked these on a machine I had local admin access on.

XP also watches files in the system32 directory.  If you browse there and
rename the sethc.exe to something else and then refresh the screen, you will
see XP restore the sethc.exe file after a few seconds.

If you open a dos prompt and (make a backup of the sethc.exe file warning
here) copy cmd.exe to sethc.exe, answering that yes, you do want to
overwrite the original, you will see the new sethc.exe in an explorer window
with a cmd.exe icon.  Now, if you delete that, windows will restore
sethc.exe but with a cmd.exe icon (note the file sizes).  When done this
way, pressing shift 5 times will indeed open a cmd prompt.  

This subject does interest me greatly, if you know of any techniques that
will escalate privileges on an XP machine I would like to know them.

Thanks

Roy





-----Original Message-----
From: BSK [mailto:bishan4u@yahoo.co.uk] 
Sent: 20 January 2005 11:13
To: miguel.dilaj@pharma.novartis.com; pen-test@securityfocus.com
Subject: Re: priviledge escalation techniques


That's really strange. It works in WinXP.
Perhaps there was a change in functionality (for
bad!) from Win2K to XP?
The only possibility I can imagine is either:
a) something blocks launching interactive programs
before logon in 2K, but
not in XP
b) 2K is checking that sethc.exe is valid before
launching it, and XP is 
not doing that check (I don't really think that this
is the case, but...)

Do you have any XP box to test?? I'll try to get
hold of a 2K as well.


I couldn't try on a XP box, but tried on a windows
2000 server. It behaves very differently here, after
the replacement of sethc.exe with cmd.exe:
1. before logging in, pressing 'shift' 5 times,
invokes sethc.exe but the original one, which in fact
doesn't exist in system32 directory, atleast with same
name. I think windows regenerated that file but with
some other name.
2. if I press 'shift' 5 times after logging in,
nothing appears, neither original sethc.exe nor the
replaced sethc.exe

Any clues?


        
        
                
___________________________________________________________ 
ALL-NEW Yahoo! Messenger - all new features - even more fun!
http://uk.messenger.yahoo.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: priviledge escalation techniques, Roy Stapleton
Next by Date:  Re: Discovering users by RCPT TO, Marco Ivaldi
Previous by Thread:  RE: priviledge escalation techniques, Roy Stapleton
Next by Thread:  Re: priviledge escalation techniques, Pieter Danhieux
Indexes:  [Date] [Thread] [Top] [All Lists]