Demonstration of Windows XP Privilege Escalation Exploit
This article is a tutorial on how to trick Windows XP into giving you system priviledges. Using simple command line tools on a machine running Windows XP, we will obtain system level priviledges. The system run level is higher than administrator, and has full control of the operating system and it’s kernel. On many machines this can be exploited even with the guest account. This system account allows for several other things that aren’t normally possible (like resetting the administrator password).
The Local System account is used by the Windows OS to control various aspects of the system (kernel, services, etc); the account shows up as SYSTEM in the Task Manager process list, as seen in the following screen shot:
Local System differs from an Administrator account in that it has full control of the operating system, similar to root on a *nix machine. Most System processes are required by the operating system, and cannot be closed, even by an Administrator account; attempting to close them will result in a error message.
The following quote from Wikipedia explains this in a easy to understand way:
Quote: In Windows NT and later systems derived from it (Windows 2000, Windows XP, Windows Server 2003 and Windows Vista), there may or may not be a superuser. By default, there is a superuser named Administrator, although it is not an exact analogue of the Unix root superuser account. Administrator does not have all the privileges of root because some superuser privileges are assigned to the Local System account in Windows NT.
Under normal circumstances, a user cannot run code as System, only the operating system itself has this ability, but by using the command line, we will trick Windows into running our desktop as System, along with all applications that are started from within. Procedure to get system level access and previlege escalation in windows I will now walk you through the process of obtaining SYSTEM privileges and a demonstration of this Windows XP admin exploit / super user hack
To start, lets open up a command prompt (Start > Run > cmd > [ENTER]).
At the prompt, enter the following command, then press [ENTER]:
| Code: |
| at |
If it responds with an “access denied” error, then we are out of luck, and you’ll have to try another method of privilege escalation; if it responds with “There are no entries in the list” (or sometimes with multiple entries already in the list) then we are good. Access to the at command varies, on some installations of Windows, even the Guest account can access it, on others it’s limited to Administrator accounts. If you can use the at command, enter the following commands, then press [ENTER]:
| Code: |
| at 21:01 /interactive “cmd.exe” |
Lets break down the preceding code. The “at” told the machine to run the at command, everything after that are the operators for the command, the important thing here, is to change the time (24 hour format) to one minute after the time currently set on your computers clock, for example: If your computer’s clock says it’s 4:30pm, convert this to 24 hour format (16:30) then use 16:31 as the time in the command. If you issue the at command again with no operators, then you should see something similar to this:
When the system clock reaches the time you set, then a new command prompt will magically run. The difference is that this one is running with system privileges (because it was started by the task scheduler service, which runs under the Local System account). It should look like this:
You’ll notice that the title bar has changed from cmd.exe to svchost.exe (which is short for Service Host). Now that we have our system command prompt, you may close the old one. Run Task Manager by either pressing CTRL+ALT+DELETE or typing taskmgr at the command prompt. In task manager, go to the processes tab, and kill explorer.exe; your desktop and all open folders should disappear, but the system command prompt should still be there.
At the system command prompt, enter in the following:
| Code: |
| explorer.exe |
Now that we have SYSTEM access, everything that we run from our explorer process will have it too, browsers, games, etc. You also have the ability to reset the administrators password, and kill other processes owned by SYSTEM. You can do anything on the machine, the equivalent of root; You are now God of the Windows machine. I’ll leave the rest up to your imagination.
Resetting Administrator’s password
Dear visitor, if you enjoyed reading this post, you may want to subscribe to my RSS feed. Thanks for visiting!
this is cool! thanks for the help. now i can get payback on my brother! man hes going to scream to wat im going to do with his profile. tnks!
There is a much easier way to change passwords of accounts
goto START >> RUN
type:
net users
this shows a list of users
next type:
net user USER *
where user is the user name exactly and dont forget the * afterwards then it should say please type password and then make you confirm it to delete the password simply hit enter without entering a password and again to confirm it
NOTE: this does require admin privliges in the first place but is an easy reset for admin accounts or other user accounts you dont remember the password to or if you are the system admin and need access to the account.
ANOTHER NOTE: as the original intent of this article was not reseting the password but instead a way of gaining SYSTEM account access to run explorer and other windows programs I found this to be a fantastic article. I was simply seeing that the intent of many was to use this for reseting passwords I thought ide show an easier way. Many of you I dont think see the full benifits one gets from being able to run explorer and its dependencies from the SYSTEM account. Many props to the author of this article for the great information
its doesn’t work!!!!!:S :S :S :S
it doesnt work!!!!!!
The thing is, when u typed
at
did Access denied come up? If it did, then u will have to log into the Admin account, or right click and press “Run as Administrator”.
If you typed this:
at 21:01 /interactive “cmd.exe”
at like, 1 ‘o clock in the morning, that means that the cmd will open again at 8:00. You have to change that 21:01 to the time ur near to. For example, if u were doing this at 1:00, try typinng in ths:
at 13:03 /interactive “cmd.exe”
And so that it will pop up in 3 or 2 minutes. U can change it to 13:01, but that is advisable only to do if you started off the experiment at 1:00 and theres 40 seconds to go. 13:03 is better if ur a slow typer.
try it!
it realy works man I can’t believe it this is ossom..now I can fuck the loosers..ha ha ha evil
This worked on my 2k sp 4 and on my xp sp 2 both as admin. But I think one of the services packs disallowed executing this as guest or another unprivileged user.
you have to have administrative rights to use the “at” command in the command prompt and if you don’t this method will not work.If you want this method to work than u have to add your account to the “local admin group” in the computer management application. you can get this application by clicking “start” > right click on “My computer” > and the click on “manage”.
Justin, what we wanna do is to get the admin rights here; that’s why we use system account. The above trick makes sense if you have the limited account. But “at” is denied if you have limited user account. that’s a catch-22
Works fine! Thanks…
What about privilege escalation from a guest user?
Maybe this would work for building PE boot disks from OEM company Windows. Like Dell or HP XP disk that have those 4 hives locked down where even Administrator doesn’t have the rights…
Works on some computers, but not others. I love it!
i tried using at command…but it doesnt work….
(
as per justin, can u please give the detailed explaination for ur method? step by step….coz getting onto admin using guest profile is ‘ACCESS IS DENIED’ problem….
it dont work, is there any other ways?
its saya that the “access is denied”
NICE BYPASS… THIS DOES WORK!!!…
IF this does not work for you GO BACK TO THE MAC.
Very clever… reminds me of the old MSINFO bypass…
this will work only if you are logged in with a account having the privilege of “Computer Administrator”
If you are logged on with “Limited” account then this won’t work
Still counts as privesc since it moves from admin to system.
Notes, in order to make it work I had to remove the quotes from around cmd.exe, and endtask my own explorer before starting the new one.
And even after that, I do not see the administrator as a user in the default users menu.
However, one can run…
control userpasswords2
…to access the administrator account.
Thank you very much
While potentially useless as a hack, this is very handy as a utility.
is working like a charm … now i can reset the privileges on my machine
Its pretty cool. I use to log in as system. But can u discuss more about the tricks and previlages which can b performed in it. Is finding the Password of admin possible?
Man it`s useful for admin privilegies:)
If you run your account from restricted privilegies you have no privilegie use at <= command.
Because for restricted users running at command is acess denied:) LOL
Article is ++.
Respect++
It worked! =0. thanks =D
This hack works well especially if you are the admin user or belong to the admin group, now I can change the administrator’s password using command line tool…I can now amuse myself.
does anyone know if this exploit will allow you to install a network connection? if so, please email me at total_annihilationx666v@yahoo.com and let me know how
And, How I do the same in Windows Vista?
This didn’t work for me. svchost.exe window never opened up. I typed at command again and it said error and listed the job as tomorrow. I typed the command perfectly… tried it 4 times, copied & pasted then changed time. Shows correctly until go time comes then “at” lists at error tomorrow.
if u are using this only to change admin pwd u can do it with manage (right click of my computer) , at “LOCAL users and groups” -> users -> right click on the user and SET PASSWORD.
ask admin to give you privilege…simple.
it worked for me…now i want to disable this command on my machine..how can i do that
the at command, by default, is only available for administrators anyway so whats the point? This won’t work on any modern xp system from inside a limited account. This does have it’s uses, but not as practical privilege escalation. Look for the “net use” buffer overflow to get privilege escalation.
Neat man..thanks