Escalating Privelage in Windows Operating Systems
Results 1 to 3 of 3

Thread: Escalating Privelage in Windows Operating Systems

  1. #1
    Senior Member
    Join Date
    Jun 2003

    Escalating Privelage in Windows Operating Systems

    Hi everyone,

    In this article i am going to discuss all the methods(almost ) of obtaining administrative privelages
    on a winodws box.

    A. WIndows 98/95/ME

    These do not have any restrictions but still if don't want those login window do this

    1.When windows boots prees F8,this will show a menu. Select "safemode command prompt"
    2.Type deltree -y c:\windows *.pwl,this will delete all the password files
    3.Yes this is it !!! :-)

    Note: If you don't want the people pressing F* and getting the startup menu do the
    following edit Msdos.sys in the root directory and add a line BootKeys=0

    B. Windows NT

    1. GetAdmin

    This expoit adds a user to the administrator group.It works by exploiting
    ChangeNtGlobalFlag(GetNtGlobalFlagPtr()); and DLL injection.
    Get it from

    simply type getadmin aor getadmin <user_name> and enjoy

    2. Sechole.exe

    This exploit by exploiting existing Windows NT services, an application can locate a certain
    API call in memory (OpenProcess), modify the instructions in a running instance, and gain
    Debug level access to the system, where it then grants the currently logged-in user complete
    membership to the Administrators group in the local SAM database.
    Get it from

    Simply execute sechole.exe
    If your machine hangs reboot and observe that a user will added to the administrators group.

    C. Windows 2000

    1. PipeUpAdmin

    This exploit uses the Named Pipe Vulnerability.As Windows 2000 uses predictable named pipe
    names for controlling services, any user process can create a named pipe with the next name
    and force a service, they can start, to connect to the pipe.Once connected, the user process
    can impersonate the service.
    Get it from

    Simpy execute PipeUpAdmin and logout and log backin, you will be added to the administrators

    2. NetDDe,GetAd

    This exploit uses a security vulnerability in Windows's NetDDE that allows local attackers to
    gain arbitrary privileges, this by causing the NetDDE to execute arbitrary code.The exploit
    code and binaries can be found at

    Executing getad will spawn a shell running as SYSTEM.

    D. Windows XP


    This expoit is brother of the Windows 2000 GetAD exploit and yes it works.Get it from

    Executing GetAd2 will spawn a shell running as SYSTEM.

    E. Windows NT/2000/XP

    1. Booting into Alternative OS and deleting the SAM file clears the Adminstrator password!!!.
    One can use a Linux floppy with kernel's NTFS read/write support or you can use NTFS dos
    professional for DOS. Visit for more...:-).

  2. #2
    Senior Member
    Join Date
    Nov 2001
    good tut warl0ck7. i think its good that the ligitimate community sees what the darker side has already seen and is using.

    ahh...the importance of patches
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  3. #3
    Junior Member
    Join Date
    Jun 2003
    hmm might be a good idia to copy the pwl's to different extension
    so you could grab the passwords later...

    also there is the iusr_bug in nt4 with iis... but the the most easiest way is getadmin...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts