Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 31

Thread: windows privilege escalation?

  1. #11
    Senior Member
    Join Date
    May 2004
    Posts
    206
    Originally posted here by slinky2004
    well, i'm positive that the student accounts aren't supposed to have those privileges. they arent't like administrator privs like the school network admins would have, they just have the privileges to do whatever they want on that machine locally. they can read/write anywhere, run regedit, change the background, install things, etc. i know that there isnt any way that they got these privs legitimagely either.
    Actually, there's a very good chance they got those legitimately. Users at my school have the same rights, although they aren't admin accounts. Chances are you have another lazy admin.
    It is better to die on your feet than to live on your knees.

  2. #12
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,066
    It is a pretty good chance they got it legitimatly, admins give a certain amount of computer savvy and trustworthy students higher priveledges to help the admin do certain stuff like install patches for certain software on certain machines, and in return the students get volunteer credits...
    I am the uber duck!!1
    Proxy Tools

  3. #13
    Senior Member
    Join Date
    Oct 2004
    Posts
    172
    actually, all of the accounts belonged to freshmen, so either the admin hasnt locked the freshmen's accts up or the some of the freshmen got together hacked the computers they were on. i guess there's an equal chance of both.

  4. #14
    Junior Member
    Join Date
    Aug 2003
    Posts
    28
    If they didn't get admin privileges from the admin then they probably just went to cmd and typed in:
    at /00:00 /i taskmgr (fill in 00:00 with a time coming up soon)
    once taskmgr opened, killed explorer and opened another with system privileges for that machine
    I believe White Scorpion was first to point out this privilege escalation method.

    As for what to do about it, you could try just talking to the admin, they may not even believe you or they may freak out, but if they didn't give them admin they will definitely want to know about it.

  5. #15
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,066
    It really doesn't matter how the admin privs got there. What really matters is that you changed the password and kept the admin capable account for yourself... right? lol jk...
    I am the uber duck!!1
    Proxy Tools

  6. #16
    Senior Member
    Join Date
    Jan 2004
    Location
    Hawaii
    Posts
    350

    Admin Access

    I have local admin access to every PC. I help out around the school with tech issues. There are two ways I think they could have done it.

    1) If you logon as local administrator, you can add domain users to the local admin group (assuming the domain didn't disable that, ours did).

    or:

    2) On that PC, they created a new user with their name and gave themselves admin priviledges. They used their name because the username shows on the XP start menu and they wouldn't want a faculty member noticing...either way, they got the local admin accounts.

    They could have gotten local admin accounts by being a Tech Team member or something...or they took the SAM files home and cracked them with Lopht Crack (http://www.atstake.com/products/lc/) or Cain 2.0(www.oxid.it).
    There is a nice SAM editor I have. You can change the admin password, and create accounts..all via a Linux bootdisk with a command prompt.

    Hope this helps.

    A_T

    PS - Why do anything about it? Blackmale the little bastards into giving you the password.
    Geek isn't just a four-letter word; it's a six-figure income.

  7. #17
    Senior Member
    Join Date
    Oct 2004
    Posts
    172
    yeah, i guess they could have cracked it that way, but it's starting to seem alot more likely that the admin forgot to lock the comps for the new freshmen accounts, lol.
    PS - Why do anything about it? Blackmale the little bastards into giving you the password.
    Cuz I wear teh white hat

  8. #18
    Senior Member Kite's Avatar
    Join Date
    Jan 2005
    Location
    Underground Bunker, somewhere in Antarctica
    Posts
    109
    It is a pretty good chance they got it legitimatly, admins give a certain amount of computer savvy and trustworthy students higher priveledges to help the admin do certain stuff like install patches for certain software on certain machines, and in return the students get volunteer credits...
    *raises hand* guilty.

    Really, just say 'mr. admin, why did i find accounts with admin privilages that students were using?' It may be legitimate, but ask, just to be sure.
    I know your type, you think "I'll just get me a costume, rip off the neighborhood kids". Next thing you know, you've got a jet shaped like a skull with lasers on the front!
    -The Monarch.

  9. #19
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Two other possibilities:

    1. There is some app on those computers that needs admin level access to run (or the admin is too lazy to figure out the correct minimal file permissions).

    2. The used a Linux or PE Builder boot disk and change the administrator password, then added their account to the local admins group:
    net localgroup administrators myaccount /add

    3. if they just copied of the SAM and SYSTEM file and cracked it using SAMInside and L0phtcrack then could find out the admin password on one computer, and set them selves up to be admins on other boxes remotely after connecting to a file share on them as admin (hope that made sense):

    at \\Some-school-box 11:51am net localgroup administrators myaccount /add

  10. #20
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    If they didn't get admin privileges from the admin then they probably just went to cmd and typed in:
    at /00:00 /i taskmgr (fill in 00:00 with a time coming up soon)
    once taskmgr opened, killed explorer and opened another with system privileges for that machine
    I believe White Scorpion was first to point out this privilege escalation method.
    This would only run if the admin is implementing very poor security on the box. If they can run this command, there are many many additional ways to escalate privilages. Allowing end users to perform administrative tasks such as TASKMGR is an absolute no no.

    Also. It is hard to say how they got root. It could be as easy as booting the NTpassword crack floppy or it could be more complex such as sniffing NTLM sessions then running l0pht or the like against the collected hashes.

    If you ask me, this sounds like piss poor administration is your real issue, not the security incident.

    PS

    The command wont run as written.

    It should be:
    C:\AT 00:00 /i taskmgr

    The extra "/" will hose up the command.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •