Tuesday 16 August 2011

Haking "ADMIN" from "USER" mode and more

Really that is possible !

Refer to the other articles on this wiki for the same topic

as windows seems to have fixed this bug..

still u can browse for educational purpose

u know why is it a "user" account because it lacks come service layer than that in "administrator" account

Using simple command line tools on
a machine running Windows XP we will obtain system level privileges,
and run the entire explorer process (Desktop), and all processes that
run from it have system privileges. The system run level is higher than
administrator, and has full control of the operating system and it’s
kernel. On many machines this can be exploited even with the guest
account. At the time I’m publishing this, I have been unable to find
any other mention of people running an entire desktop as system,
although I have seen some articles regarding the SYSTEM command prompt.

Local privilege escalation is useful on any system that a hacker may
compromise; the system account allows for several other things that
aren’t normally possible (like resetting the administrator password).

The Local System account is used
by the Windows OS to control various aspects of the system (kernel,
services, etc); the account shows up as SYSTEM in the Task Manager

Local System differs from an
Administrator account in that it has full control of the operating
system, similar to root on a *nix machine. Most System processes are
required by the operating system, and cannot be closed, even by an
Administrator account; attempting to close them will result in a error
message. The following quote from Wikipedia explains this in a easy to
understand way:

You can trick the system into running a program, script, or batch file with system level privileges.

One sample

One trick is to use a vulnerability in Windows long filename support.

Try placing an executable named
Program.*, in the root directory of the "Windows" drive. Then reboot.
The system may run the Program.*, with system level privileges. So long
as one of the applications in the "Program Files" directory is a
startup app. The call to "Program Files", will be intercepted by

Microsoft eventually caught on
to that trick. Now days, more and more, of the startup applications are
being coded to use limited privileges.


Windows NT and later systems derived from it (Windows 2000, Windows
XP, Windows Server 2003 and Windows Vista), there may or may not be a
superuser. By default, there is a superuser named Administrator,
although it is not an exact analogue of the Unix root superuser account.
Administrator does not have all the privileges of root because some
superuser privileges are assigned to the Local System account in Windows

Under normal circumstances, a user
cannot run code as System, only the operating system itself has this
ability, but by using the command line, we will trick Windows into
running our desktop as System, along with all applications that are
started from within.

Getting SYSTEM

I will now walk you through the process of obtaining SYSTEM privileges.

To start, lets open up a command prompt (Start > Run > cmd > [ENTER]).

At the prompt, enter the following command, then press [ENTER]:



If it responds with an “access
denied” error, then we are out of luck, and you’ll have to try another
method of privilege escalation; if it responds with “There are no
entries in the list” (or sometimes with multiple entries already in the
list) then we are good. Access to the at command varies, on some
installations of Windows, even the Guest account can access it, on
others it’s limited to Administrator accounts. If you can use the at
command, enter the following commands, then press [ENTER]:


at 15:25 /interactive “cmd.exe”

Lets break down the preceding
code. The “at” told the machine to run the at command, everything after
that are the operators for the command, the important thing here, is
to change the time (24 hour format) to one minute after the time
currently set on your computers clock, for example: If your computer’s
clock says it’s 4:30pm, convert this to 24 hour format (16:30) then use
16:31 as the time in the command. If you issue the at command again
with no operators, then you should see something similar to this:

When the system clock reaches the
time you set, then a new command prompt will magically run. The
difference is that this one is running with system privileges (because
it was started by the task scheduler service, which runs under the Local
System account). It should look like this:

You’ll notice that the title bar
has changed from cmd.exe to svchost.exe (which is short for Service
Host). Now that we have our system command prompt, you may close the
old one. Run Task Manager by either pressing CTRL+ALT+DELETE or typing
taskmgr at the command prompt. In task manager, go to the processes
tab, and kill explorer.exe; your desktop and all open folders should
disappear, but the system command prompt should still be there.

At the system command prompt, enter in the following:



A desktop will come back up, but
what this? It isn’t your desktop. Go to the start menu and look at the
user name, it should say “SYSTEM”. Also open up task manager again, and
you’ll notice that explorer.exe is now running as SYSTEM. The easiest
way to get back into your own desktop, is to log out and then log back
in. The following 2 screenshots show my results (click to zoom):

System user name on start menu

explorer.exe running under SYSTEM

What to do now

Now that we have SYSTEM access,
everything that we run from our explorer process will have it too,
browsers, games, etc. You also have the ability to reset the
administrators password, and kill other processes owned by SYSTEM. You
can do anything on the machine, the equivalent of root; You are now God
of the Windows machine. I’ll leave the rest up to your imagination.


When you install Windows XP an
Administrator Account is created (you are asked to supply an
administrator password), but the "Welcome Screen" does not give you the
option to log on as Administrator unless you boot up in Safe Mode.

First you must ensure that the Administrator Account is enabled:

1 open Control Panel

2 open Administrative Tools

3 open Local Security Policy

4 expand Local Policies

5 click on Security Options

6 ensure that Accounts: Administrator account status is enabled Then
follow the instructions from the "Win2000 Logon Screen Tweak" ie.

1 open Control Panel

2 open User Accounts

3 click Change the way users log on or log off

4 untick Use the Welcome Screen

5 click Apply Options

You will now be able to log on to Windows XP as Administrator in Normal Mode.


Start the Registry Editor Go to:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ SpecialAccounts \ UserList \

Right-click an empty space in the right pane and select New > DWORD
Value Name the new value Administrator. Double-click this new value,
and enter 1 as it's Value data. Close the registry editor and restart.