Penetration Testing mailing list archives
Re: [PEN-TEST] Expand right under Win2K
From: Paul Cardon <paul () MOQUIJO COM>
Date: Tue, 9 Jan 2001 16:17:53 -0500
Charlie Rhodes wrote:
We have a win2k where we have access to a cmd.exe with the rights of the web-server and we would like to obtain administrator rights. Also we don't have the rights to read the SAM files. We tried the well-known methdos under win NT 4.0 (like breaknt.exe, read from raw device) in vain.Do you have network (ftp) access? or floppy access? http://www.bo2k.com should do the trick. You'll probably want to configure the server part off the machine, then load it on.
This is the second time this question has been asked on the list and almost everybody misunderstands the problem. Let me restate it: Suppose a pen-tester has used the IIS Unicode vulnerability to download a back door such as a netcat listener to the target Win2K server and now has a remote cmd shell. At this point the remote shell is running with IUSR_<MACHINE> privilege since that is the privilege level that the Unicode vulnerability provides. Now, how does the pen-tester elevate privilege to Administrator? Any software that is downloaded (tftp, ftp, whatever) through the remote command shell will only run with IUSR_<MACHINE> privilege. Why do people think that downloading BO2K, netcat, or some such will magically elevate privilege? It doesn't. The only things that are possible are: 1) There is a known privilege escalation vulnerability that can be exploited with local unprivileged access. The attacker can download and run that code to gain Administrator access. 2) Brute force attack against accounts with local Administrator privilege. 3) Look for vulnerabilities in other systems that the web server can talk to. Some of those may expose Domain accounts with Administrator privilege on the web server or other systems that are trusted by the web server. There are others but Win2K does limit some of the nicer possibilities that existed with NT. -paul
Current thread:
- [PEN-TEST] Expand right under Win2K Foldi Tamas (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Charlie Rhodes (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Paul Cardon (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Julian Linton (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Nelson Brito (a.k.a. stderr) (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Paul Cardon (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Tamas Foldi (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Julian Linton (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Nelson Brito (a.k.a. stderr) (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Nelson Brito (a.k.a. stderr) (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Paul Cardon (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Pascal C. Kocher (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Charlie Rhodes (Jan 09)
- <Possible follow-ups>
- Re: [PEN-TEST] Expand right under Win2K Edwards, David (JTD) (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Complx1 * (Jan 09)