windows privilege escalation?
Page 1 of 4 123 ... LastLast
Results 1 to 10 of 31

Thread: windows privilege escalation?

  1. #1
    Senior Member
    Join Date
    Oct 2004
    Posts
    172

    windows privilege escalation?

    i was in the computer lab at my school today and i noticed that a few of the computers had not been logged off, so i went to log them off and noticed that several of them had a different background. when i looked into it further, i noticed that all of the accounts with different backgrounds were regular student accounts and that they had full admin privileges, which they definitelyshouldnt have had. i think it's safe to assume that they ran some sort of program that did it for them, i'd just like to find out what it was and how it worked, i'm guessing it was some popular windows rootkit or something, can somebody maybe give me their opinion on what they think it was and what i should do about it?(i've got all their account names ). the compromised boxes were running windows xp professional SP1 and i'm pretty sure all of their security measures were done with poledit.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    How do you know they had 'full admin' privs?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member Kite's Avatar
    Join Date
    Jan 2005
    Location
    Underground Bunker, somewhere in Antarctica
    Posts
    109
    tell your administrator, definatly, and maybe do a google search for privilage rootkits or something like that.
    I know your type, you think "I'll just get me a costume, rip off the neighborhood kids". Next thing you know, you've got a jet shaped like a skull with lasers on the front!
    -The Monarch.

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Posts
    186
    What it could have been is the may have been just logged in as the local computer administrator so they could install some new programs or whatever but were not logged in as the domain admin.
    Ben Franklin said it best. \"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.\"

  5. #5
    Senior Member
    Join Date
    Dec 2004
    Posts
    107
    I would say, check out this thread:

    http://www.antionline.com/showthread...hreadid=265821

    Jareds411 had a similar problem as you, and the recommendation was to alert your admin anonymously.

    good luck,
    -ik
    Alright Brain, you don\'t like me, and I don\'t like you. But let\'s just do this, and I can get back to killing you with beer.
    -- Homer S.

  6. #6
    Senior Member
    Join Date
    Mar 2004
    Posts
    171
    Ok, Honestly if I were still in school (its been a few millenium since I was) I would be tempted to keep this under my hat, and see what I could do with the "admin" accounts.

    But most likely that won't get you anywhere you wanna go.

    I personally wouldn't worry too much about just straight out informing the admin of what you observed. In most cases being straight forward about something like this, in a tactful way will be respected by any admin with half a brain. If I was your admin, I would want to see, and would be interested in knowing how my security was bypassed, not shoot the messanger...

    Of course you can try the email or letter to him/her without ever giving up who you are... I just dont see the point.

    ~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I very much doubt they used poledit..... That was pre Win2k...

    I think you meant the LSP or the GP, (Local Security Policy or Group policy). If they managed to use group policy your admin is... er.... screwed... because they would require domain admin rights to do that.... and student with domain admin rights invariably has better grades than their actual work would imply....

    Send your admin a script in a suitably socially engineered email that adds a user to the AD with Domain admin rights and you'll find out 2 things:-

    1. Admin is a dumbass that reads email in the context of a domain admin, (I'm guilty of this...)

    2. Admin is silly enough to be socially engineered into clicking an attachment or link, (I'm not guilty of this..)

    If he's really stupid he won't be able to work out what you did....

    If he's smart he'll slap you upside the head and tell you to "try and be creative"....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,066
    I highly doubt that any student got admin privledges and then forgot to log out. Some schools have students that are good with networks and computers help out the school system admin for voluntary credits, because that's a requirment to get into alot of colleges. So the system admin gives them some more priveldges on their accounts to make helping out easier. That's just what goes on in my school anyway, I'm guessing the same goes on in yours and many others...
    I am the uber duck!!1
    Proxy Tools

  9. #9
    Senior Member
    Join Date
    Oct 2004
    Posts
    172
    well, i'm positive that the student accounts aren't supposed to have those privileges. they arent't like administrator privs like the school network admins would have, they just have the privileges to do whatever they want on that machine locally. they can read/write anywhere, run regedit, change the background, install things, etc. i know that there isnt any way that they got these privs legitimagely either.

  10. #10
    Senior Member
    Join Date
    Oct 2004
    Posts
    172
    well, i'm positive that the student accounts aren't supposed to have those privileges. they arent't like administrator privs like the school network admins would have, they just have the privileges to do whatever they want on that machine locally. they can read/write anywhere, run regedit, change the background, install things. i know there isnt any way that they would have gotten these privs legitimately. i dunno what to search on google, i've tried windows rootkits and several other things, i expect that there's some well known program that they used for it, but maybe not... how else could they have done it?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •