windows privilege escalation?

i was in the computer lab at my school today and i noticed that a few of the computers had not been logged off, so i went to log them off and noticed that several of them had a different background. when i looked into it further, i noticed that all of the accounts with different backgrounds were regular student accounts and that they had full admin privileges, which they definitelyshouldnt have had. i think it's safe to assume that they ran some sort of program that did it for them, i'd just like to find out what it was and how it worked, i'm guessing it was some popular windows rootkit or something, can somebody maybe give me their opinion on what they think it was and what i should do about it?(i've got all their account names ;)). the compromised boxes were running windows xp professional SP1 and i'm pretty sure all of their security measures were done with poledit.

How do you know they had 'full admin' privs?

tell your administrator, definatly, and maybe do a google search for privilage rootkits or something like that.

What it could have been is the may have been just logged in as the local computer administrator so they could install some new programs or whatever but were not logged in as the domain admin.

I would say, check out this thread:

http://www.antionline.com/showthread...hreadid=265821

Jareds411 had a similar problem as you, and the recommendation was to alert your admin anonymously.

good luck,
-ik

Ok, Honestly if I were still in school (its been a few millenium since I was) I would be tempted to keep this under my hat, and see what I could do with the "admin" accounts.

But most likely that won't get you anywhere you wanna go.

I personally wouldn't worry too much about just straight out informing the admin of what you observed. In most cases being straight forward about something like this, in a tactful way will be respected by any admin with half a brain. If I was your admin, I would want to see, and would be interested in knowing how my security was bypassed, not shoot the messanger... :)

Of course you can try the email or letter to him/her without ever giving up who you are... I just dont see the point.

:)

I very much doubt they used poledit..... That was pre Win2k...

I think you meant the LSP or the GP, (Local Security Policy or Group policy). If they managed to use group policy your admin is... er.... screwed... because they would require domain admin rights to do that.... and student with domain admin rights invariably has better grades than their actual work would imply.... ;)

Send your admin a script in a suitably socially engineered email that adds a user to the AD with Domain admin rights and you'll find out 2 things:-

1. Admin is a dumbass that reads email in the context of a domain admin, (I'm guilty of this...)

2. Admin is silly enough to be socially engineered into clicking an attachment or link, (I'm not guilty of this..)

If he's really stupid he won't be able to work out what you did.... :rolleyes:

If he's smart he'll slap you upside the head and tell you to "try and be creative".... :D

I highly doubt that any student got admin privledges and then forgot to log out. Some schools have students that are good with networks and computers help out the school system admin for voluntary credits, because that's a requirment to get into alot of colleges. So the system admin gives them some more priveldges on their accounts to make helping out easier. That's just what goes on in my school anyway, I'm guessing the same goes on in yours and many others...

well, i'm positive that the student accounts aren't supposed to have those privileges. they arent't like administrator privs like the school network admins would have, they just have the privileges to do whatever they want on that machine locally. they can read/write anywhere, run regedit, change the background, install things, etc. i know that there isnt any way that they got these privs legitimagely either.

well, i'm positive that the student accounts aren't supposed to have those privileges. they arent't like administrator privs like the school network admins would have, they just have the privileges to do whatever they want on that machine locally. they can read/write anywhere, run regedit, change the background, install things. i know there isnt any way that they would have gotten these privs legitimately. i dunno what to search on google, i've tried windows rootkits and several other things, i expect that there's some well known program that they used for it, but maybe not... how else could they have done it?