Penetration Testing mailing list archives
Re: priviledge escalation techniques
From: miguel.dilaj () pharma novartis com
Date: Mon, 17 Jan 2005 21:54:24 +0000
Hi jnf! Good question, I used a tool to write to NTFS volumes, as mentioned in point (1) of my post. This was probably not clear in my original post, sorry. And answering another good question you made off-list:
What is the point then? If you can write to anything on the fs, why not just skip the middle mand and write a new sam file or just add a new program to run on boot in the registry/etc. what do you gain by adding extra steps?
Your options are perfectly valid, but much more detectable (IMHO). With the option of changing sethc.exe you are not running anything extra, you are not modifying the SAM (that can count as evidence against you in case of problems), and you don't even need to crack passwords. It's just a CLI as SYSTEM on request ;-) But as you pointed, the possibilities are endless. Cheers, Miguel Dilaj (Nekromancer) Vice-President of IT Security Research, OISSG We need YOU at www.oissg.org! lists <lists () innocence-lost net> 17/01/2005 19:19 To: Miguel Dilaj/PH/Novartis@PH cc: pen-test () securityfocus com Subject: Re: priviledge escalation techniques
3) the one I've chosen, similar to (1) above. I've XP with the Accessibility Tools installed by default. They monitor some keys, and if for example you press SHIFT 5 times a popup appears where you can
activate
and configure the accessibility tools. The program responsible for that
is
sethc.exe, and the guys at Micro$oft comit the cardinal mistake of not making IT check if SHIFT was pressed 5 times, but to include that in
some
other part of the OS (kernel? ;-) So if you press SHIFT 5 times, sethc.exe is executed, but doesn't matter WHAT IS sethc.exe You guess that, I replaced sethc.exe by a copy of cmd.exe If I press that BEFORE login, a CLI as SYSTEM is started, I can launch compmgmt.msc and add myself to the local administrators group (please
note
that if you start it AFTER login, a CLI is started as your user).
How do you suppose one gets write access to sethc.exe without admin privs in the first place? I cannot overwrite my sethc.exe, nor can I change the system Path variables, and it gets prepended to my path before user variables do- are you sure you didn't test this while logged in as an admin? jnf
Current thread:
- priviledge escalation techniques Dan Rogers (Jan 17)
- Re: priviledge escalation techniques Chuck Herrin (Jan 17)
- <Possible follow-ups>
- Re: priviledge escalation techniques miguel . dilaj (Jan 17)
- Re: priviledge escalation techniques lists (Jan 18)
- Re: priviledge escalation techniques jnf (Jan 18)
- RE: priviledge escalation techniques John Cobb (Jan 20)
- Re: priviledge escalation techniques miguel . dilaj (Jan 20)
- Re: priviledge escalation techniques jnf (Jan 20)
- Re: priviledge escalation techniques miguel . dilaj (Jan 20)
- RE: priviledge escalation techniques Marc Maiffret (Jan 20)
- Re: priviledge escalation techniques BSK (Jan 20)
- RE: priviledge escalation techniques Dave Wells (Jan 20)
- RE: priviledge escalation techniques Michael Howard (Jan 20)
- Re: priviledge escalation techniques BSK (Jan 20)
- RE: priviledge escalation techniques Roy Stapleton (Jan 21)
- RE: priviledge escalation techniques Eyal Udassin (Jan 22)
- Re: priviledge escalation techniques Pieter Danhieux (Jan 23)
- Re: priviledge escalation techniques Thor (Jan 23)
- RE: priviledge escalation techniques Eyal Udassin (Jan 23)
- RE: priviledge escalation techniques Eyal Udassin (Jan 22)