June 30th, 2003, 11:16 AM
Escalating Privelage in Windows Operating Systems
In this article i am going to discuss all the methods(almost ) of obtaining administrative privelages
on a winodws box.
A. WIndows 98/95/ME
These do not have any restrictions but still if don't want those login window do this
1.When windows boots prees F8,this will show a menu. Select "safemode command prompt"
2.Type deltree -y c:\windows *.pwl,this will delete all the password files
3.Yes this is it !!! :-)
Note: If you don't want the people pressing F* and getting the startup menu do the
following edit Msdos.sys in the root directory and add a line BootKeys=0
B. Windows NT
This expoit adds a user to the administrator group.It works by exploiting
ChangeNtGlobalFlag(GetNtGlobalFlagPtr()); and DLL injection.
Get it from
simply type getadmin aor getadmin <user_name> and enjoy
This exploit by exploiting existing Windows NT services, an application can locate a certain
API call in memory (OpenProcess), modify the instructions in a running instance, and gain
Debug level access to the system, where it then grants the currently logged-in user complete
membership to the Administrators group in the local SAM database.
Get it from
Simply execute sechole.exe
If your machine hangs reboot and observe that a user will added to the administrators group.
C. Windows 2000
This exploit uses the Named Pipe Vulnerability.As Windows 2000 uses predictable named pipe
names for controlling services, any user process can create a named pipe with the next name
and force a service, they can start, to connect to the pipe.Once connected, the user process
can impersonate the service.
Get it from
Simpy execute PipeUpAdmin and logout and log backin, you will be added to the administrators
This exploit uses a security vulnerability in Windows's NetDDE that allows local attackers to
gain arbitrary privileges, this by causing the NetDDE to execute arbitrary code.The exploit
code and binaries can be found at
Executing getad will spawn a shell running as SYSTEM.
D. Windows XP
This expoit is brother of the Windows 2000 GetAD exploit and yes it works.Get it from
Executing GetAd2 will spawn a shell running as SYSTEM.
E. Windows NT/2000/XP
1. Booting into Alternative OS and deleting the SAM file clears the Adminstrator password!!!.
One can use a Linux floppy with kernel's NTFS read/write support or you can use NTFS dos
professional for DOS. Visit www.bootdisk.com for more...:-).
July 1st, 2003, 04:56 AM
good tut warl0ck7. i think its good that the ligitimate community sees what the darker side has already seen and is using.
ahh...the importance of patches
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
July 1st, 2003, 11:37 PM
hmm might be a good idia to copy the pwl's to different extension
so you could grab the passwords later...
also there is the iusr_bug in nt4 with iis... but the the most easiest way is getadmin...