Re: [PEN-TEST] Expand right under Win2K

[Paul Cardon <paul () MOQUIJO COM>]

Charlie Rhodes wrote:
> > We have a win2k where we have access to a cmd.exe with the rights of the
> > web-server and we would like to obtain administrator rights. Also we
> > don't have the rights to read the SAM files.
> > We tried the well-known methdos under win  NT 4.0 (like breaknt.exe,
> > read from raw device) in vain.
>
>     Do you have network (ftp) access?  or floppy access?
> http://www.bo2k.com should do the trick.  You'll probably want to configure
> the server part off the machine, then load it on.

This is the second time this question has been asked on the list and
almost everybody misunderstands the problem.  Let me restate it:

Suppose a pen-tester has used the IIS Unicode vulnerability to download
a back door such as a netcat listener to the target Win2K server and now
has a remote cmd shell.  At this point the remote shell is running with
IUSR_<MACHINE> privilege since that is the privilege level that the
Unicode vulnerability provides.

Now, how does the pen-tester elevate privilege to Administrator?

Any software that is downloaded (tftp, ftp, whatever) through the remote
command shell will only run with IUSR_<MACHINE> privilege.  Why do
people think that downloading BO2K, netcat, or some such will magically
elevate privilege?  It doesn't.

The only things that are possible are:

1)  There is a known privilege escalation vulnerability that can be
exploited with local unprivileged access.  The attacker can download and
run that code to gain Administrator access.

2)  Brute force attack against accounts with local Administrator
privilege.

3)  Look for vulnerabilities in other systems that the web server can
talk to.  Some of those may expose Domain accounts with Administrator
privilege on the web server or other systems that are trusted by the web
server.

There are others but Win2K does limit some of the nicer possibilities
that existed with NT.

-paul