Friday, September 22, 2006

Sometimes a work-issued computer has restricted access for an employee account. This is to ensure that the employee can make no harmful changes to the workstation. Mostly, I support this policy. It eliminates headache at the Help Desk and can save the company hundreds of dollars a year in ibuprofen.
While I mostly support the policy, I can't stand it if it is applied to me. There are times when someone might want elevated privileges - to diagnose issues, check system directories, or install awesome (and maybe work-related) applications.
If you find yourself in this situation, you may have no choice but to elevate your own system rights.
In Windows systems, there is a master account called "Administrator". This account can do almost everything you'd ever want to do. However, it is essentially a Unix "Root" account with some of the more powerful bits (like modifying system processes) locked out.
Let's skip "Administrator" and hack the "System" account, which is like the local administrator account but with "Root"-like powers far beyond those of normal accounts.

I will now walk you through the process of obtaining SYSTEM privileges.

To start, open up a command prompt (Start > Run > cmd > [ENTER]).

At the prompt, enter the following command, then press [ENTER]:

Code:

at

Yeah, that's it. Two letters. The "at" command is essentially a scheduler used to perform a function "at" a specified time.
If it responds with an "access denied" error, then we are out of luck, and you'll have to try another method of privilege escalation; if it responds with "There are no entries in the list" (or sometimes with multiple entries already in the list) then we are good. Access to the "at" command varies, on some installations of Windows, even the Guest account can access it, on others it's limited to Administrator accounts. If you can use the "at" command, enter the following commands, then press [ENTER]:

Code:

at 14:35 /interactive "cmd.exe"

I'll break down the preceding code. The "at" told the machine to run the at command, everything after that are the operators for the command, the important thing here, is to change the time (24 hour format) to one minute after the time currently set on your computers clock, for example: If your computer's clock says it's 4:30pm, convert this to 24 hour format (16:30) then use 16:31 as the time in the command.
One minute later, you should see a command prompt pop up, just like it did before we started this project. The difference is that the "at" command runs as SYSTEM, and everything called from there will run as SYSTEM as well.
Typing "explorer.exe" will open a folder displaying local and network drives.
Typing "iexplorer.exe" will give your SYSTEM session access to the Internet.
Typing the path to an installer will allow you to add new software.
Revel in your godlike authority.
Rebooting is probably the fastest way to put the safety back on before something gets broken and questions are asked.

I would be remiss if I did not provide the mitigation solution to this. To prevent this type of foolishness on a system you just need to change the account used by the "at" command.

3 comments:

Joe said...

I just drove back from Round Top, TX from that Honors trip ... with a kid with an iPod ... who played it over the radio ... and all he had was about 2000 Christian rock songs ...

You can't cut people off and tailgate and swear at old people who drive poorly when you are compelled to listen to happy people about their relationship with God. This is how they got Manuel Noriega out of his palace in Panama.

Holy crap ... and I say this without any irony.

Garrick said...

You must be prepared to overcome differing musical tastes with the power of metal.
I highly recommend Winger.

Do you suppose this young honor student stole all this Christian music off the internet? I hear that's what the kids are doing now.

Sinners.

Darrell Davis said...

I am stuck, If I respond with "Fun things to do with a ping command" or "Keyloggers are your friend" it's just going to end up in a bad way. This is not a challenge to prove who can break more stuff, I submit, I submit... Well you do have a wireless network.