Browse > Home / Hacking / Demonstration of Windows XP Privilege Escalation Exploit

Demonstration of Windows XP Privilege Escalation Exploit

This article is a tutorial on how to trick Windows XP into giving you system priviledges. Using simple command line tools on a machine running Windows XP, we will obtain system level priviledges. The system run level is higher than administrator, and has full control of the operating system and it’s kernel. On many machines this can be exploited even with the guest account. This system account allows for several other things that aren’t normally possible (like resetting the administrator password).
The Local System account is used by the Windows OS to control various aspects of the system (kernel, services, etc); the account shows up as SYSTEM in the Task Manager process list, as seen in the following screen shot:
Local System differs from an Administrator account in that it has full control of the operating system, similar to root on a *nix machine. Most System processes are required by the operating system, and cannot be closed, even by an Administrator account; attempting to close them will result in a error message.

The following quote from Wikipedia explains this in a easy to understand way:
Quote: In Windows NT and later systems derived from it (Windows 2000, Windows XP, Windows Server 2003 and Windows Vista), there may or may not be a superuser. By default, there is a superuser named Administrator, although it is not an exact analogue of the Unix root superuser account. Administrator does not have all the privileges of root because some superuser privileges are assigned to the Local System account in Windows NT.

Under normal circumstances, a user cannot run code as System, only the operating system itself has this ability, but by using the command line, we will trick Windows into running our desktop as System, along with all applications that are started from within.   Procedure to get system level access and previlege escalation in windows I will now walk you through the process of obtaining SYSTEM privileges and a demonstration of this Windows XP admin exploit / super user hack 

To start, lets open up a command prompt (Start > Run > cmd > [ENTER]).

At the prompt, enter the following command, then press [ENTER]:

Code:
at

If it responds with an “access denied” error, then we are out of luck, and you’ll have to try another method of privilege escalation; if it responds with “There are no entries in the list” (or sometimes with multiple entries already in the list) then we are good. Access to the at command varies, on some installations of Windows, even the Guest account can access it, on others it’s limited to Administrator accounts. If you can use the at command, enter the following commands, then press [ENTER]:  

Code:
at 21:01 /interactive “cmd.exe”

Lets break down the preceding code. The “at” told the machine to run the at command, everything after that are the operators for the command, the important thing here, is to change the time (24 hour format) to one minute after the time currently set on your computers clock, for example: If your computer’s clock says it’s 4:30pm, convert this to 24 hour format (16:30) then use 16:31 as the time in the command. If you issue the at command again with no operators, then you should see something similar to this:



    

When the system clock reaches the time you set, then a new command prompt will magically run. The difference is that this one is running with system privileges (because it was started by the task scheduler service, which runs under the Local System account). It should look like this: 

  

 

You’ll notice that the title bar has changed from cmd.exe to svchost.exe (which is short for Service Host). Now that we have our system command prompt, you may close the old one. Run Task Manager by either pressing CTRL+ALT+DELETE or typing taskmgr at the command prompt. In task manager, go to the processes tab, and kill explorer.exe; your desktop and all open folders should disappear, but the system command prompt should still be there.

At the system command prompt, enter in the following:

 

Code:
explorer.exe
A desktop will come back up, but what this? It isn’t your desktop. Go to the start menu and look at the user name, it should say “SYSTEM”. Also open up task manager again, and you’ll notice that explorer.exe is now running as SYSTEM. The easiest way to get back into your own desktop, is to log out and then log back in.


Now that we have SYSTEM access, everything that we run from our explorer process will have it too, browsers, games, etc. You also have the ability to reset the administrators password, and kill other processes owned by SYSTEM. You can do anything on the machine, the equivalent of root; You are now God of the Windows machine. I’ll leave the rest up to your imagination.


Resetting Administrator’s password

If you liked this article, click here to buy me a beer!

Dear visitor, thanks for dropping by. If you enjoyed reading this post, you may want to subscribe to my RSS feed. It could could win you some great prizes this month. Thanks for visiting!

Written by Ajit Gaddam · Filed Under Hacking 
Tagged:


Related Posts

Comments

21 Responses to “Demonstration of Windows XP Privilege Escalation Exploit”

  1. daniel salinas on November 6th, 2006 5:03 pm

    this is cool! thanks for the help. now i can get payback on my brother! man hes going to scream to wat im going to do with his profile. tnks!

  2. marvyn on May 10th, 2007 5:50 am

    its doesn’t work!!!!!:S :S :S :S

  3. marvyn on May 10th, 2007 5:54 am

    it doesnt work!!!!!!

  4. Livius on May 28th, 2007 3:15 pm

    it realy works man I can’t believe it this is ossom..now I can fuck the loosers..ha ha ha evil

  5. Sean on June 11th, 2007 3:41 am

    This worked on my 2k sp 4 and on my xp sp 2 both as admin. But I think one of the services packs disallowed executing this as guest or another unprivileged user.

  6. justin on October 4th, 2007 9:10 am

    you have to have administrative rights to use the “at” command in the command prompt and if you don’t this method will not work.If you want this method to work than u have to add your account to the “local admin group” in the computer management application. you can get this application by clicking “start” > right click on “My computer” > and the click on “manage”. :)

  7. Windows XP Privilege Escalation | Sam’s Blog The Penetration Tester on October 26th, 2007 5:15 am

    [...] บายคับ Credit: AskStudent tag:Windows Hacking Share and Enjoy: These icons link to social bookmarking sites where readers [...]

  8. Turker on November 10th, 2007 3:30 pm

    Justin, what we wanna do is to get the admin rights here; that’s why we use system account. The above trick makes sense if you have the limited account. But “at” is denied if you have limited user account. that’s a catch-22 ;)

  9. MisterEddy on November 12th, 2007 2:02 pm

    Works fine! Thanks…

  10. Arturo on November 20th, 2007 11:38 pm

    What about privilege escalation from a guest user?

  11. Lost Link on December 14th, 2007 10:46 pm

    Maybe this would work for building PE boot disks from OEM company Windows. Like Dell or HP XP disk that have those 4 hives locked down where even Administrator doesn’t have the rights…

  12. bggraves on December 20th, 2007 6:26 pm

    Works on some computers, but not others. I love it!

  13. ishita on April 4th, 2008 5:59 am

    i tried using at command…but it doesnt work…. :((

    as per justin, can u please give the detailed explaination for ur method? step by step….coz getting onto admin using guest profile is ‘ACCESS IS DENIED’ problem….

  14. kyled on April 21st, 2008 11:31 pm

    it dont work, is there any other ways?

  15. xxxxxx on May 21st, 2008 5:12 am

    its saya that the “access is denied”

  16. Elusiverite on July 2nd, 2008 3:00 pm

    NICE BYPASS… THIS DOES WORK!!!…

    IF this does not work for you GO BACK TO THE MAC.

    Very clever… reminds me of the old MSINFO bypass…

  17. Slim on August 15th, 2008 9:18 am

    this will work only if you are logged in with a account having the privilege of “Computer Administrator”
    If you are logged on with “Limited” account then this won’t work :)

  18. Brandon Sergent on October 6th, 2008 5:51 pm

    Still counts as privesc since it moves from admin to system.

    Notes, in order to make it work I had to remove the quotes from around cmd.exe, and endtask my own explorer before starting the new one.

    And even after that, I do not see the administrator as a user in the default users menu.

    However, one can run…

    control userpasswords2

    …to access the administrator account.

    Thank you very much :)

    While potentially useless as a hack, this is very handy as a utility.

  19. iCORE on October 9th, 2008 7:02 pm

    is working like a charm … now i can reset the privileges on my machine :)

  20. Abhishek on October 16th, 2008 10:56 am

    Its pretty cool. I use to log in as system. But can u discuss more about the tricks and previlages which can b performed in it. Is finding the Password of admin possible?

  21. Digital Bond » The Importance Of Permission on November 6th, 2008 9:52 am

    [...] are many techniques for privilege escalation and abusing permissions, for example I cam across this article which show the following [...]

Got something to say?