HellBound Hackers
Join us at IRC!
You cannot teach a man anything; you can only help him find it within himself. - Galileo
Thursday, May 17, 2012
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
HellBoundHackers Additional:
Shop
Learn
Communicate
Submit
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Interact
Other
HellBoundHackers Executive:
HellBoundHackers Leisure:
Members Online
Total Online: 30
Web Spiders: 15
Guests Online: 28
Members Online: 2
destrox01, sirrom

Registered Members: 70043
Newest Member: nixium
Latest Articles

Windows XP Privilege Escalation (For those who don't know how..)



FLV Blaster - Download Music and Videos Faster

website security This article explains how to gain SYSTEM privileges on a Windows XP Operating System.



--=[ How to gain SYSTEM ]=--
-=[ Written by Skunkfoot ]=-

Note: So far, this doesn't work on Windows Vista.

-------------------
-=[ Contents ]=-
-------------------
[x] What is SYSTEM? (For those who don't already know)
[x] Why would I want to become SYSTEM?
[x] How do I become SYSTEM?
[x] The Exploit explained
[x] How to stop this from happening on your computer
[x] Conclusion


---------------------------------------
-=[ Part 1 || What is SYSTEM? ]=-
---------------------------------------
Okay, so what is SYSTEM exactly? Well, open up task manager and go look at your processes. You should notice that some of the processes are being run by <your username> and some are being run by SYSTEM. The ones being run by SYSTEM are exactly that: the system is running those processes by itself.

-------------------------------------------------
-=[ Part 2 || Why do I want to do that? ]=-
-------------------------------------------------
Well, with SYSTEM, you'll have more access locally on the computer. Different types of users have different privileges. Guests tend to have very limited privileges and access. Limited Users have a little bit more, but it's still not enough for normal people. Administrators, which is what most people use, have more privileges than Guests and Limited Users, but sometimes even Administrators don't have the privileges to do some things. This is why you might want to become SYSTEM. SYSTEM has more privileges than any other group, and you can do basically anything you want on the computer when you have obtained it.

----------------------------------------
-=[ Part 3 || How do I do that? ]=-
----------------------------------------
Open up Task Manager and a CMD prompt. Write down the current time (in military/24-hour time). EX: 15:24 = 3:24 PM. Then, go to your Task Manager and end the "explorer.exe" process. Now, in the CMD window, type "at <current time> /interactive explorer.exe" and hit enter. That should get you SYSTEM.

--------------------------------------------------------------
-=[ Part 4 || I want to understand why that works ]=-
--------------------------------------------------------------
Explorer.exe is the Windows shell, or more commonly, your Desktop and Start menu, and is different for each user. When you login to Windows, explorer.exe loads, and that's why you see your icons and Start Menu and everything. When you go to logout, it ends explorer.exe for that user. So, when we kill explorer.exe and then tell the system to restart it interactively, the SYSTEM is running the process instead of your user.

-------------------------------------------------------------
-=[ Part 5 || I don't want my shit to get h4x0red! ]=-
-------------------------------------------------------------
Relax, all you have to do is disable the "at" command, which shouldn't cause a problem with your everyday computer usage because nobody really uses that command for anything. (Or at least nobody I know :P)

----------------------
-=[ Conclusion ]=-
----------------------
All that being said, I hope you actually learned something from my article. ^_^

--Skunkfoot

P.S. If anything is a little incorrect, just tell me cause I'll want to know. (But I think it's all pretty much accurate).
security article Posted by Skunkfoot on December 25 2007 - 23:42:57   |    23 Comments | 3745 Reads | Print print this tutorial

Comments

mido on December 26 2007 - 16:17:45
Good article, I didn't know about that. But you may had better to extend part 5 more.
Skunkfoot on December 27 2007 - 05:08:46
lol, you can look up how to prevent it if you want a more extensive method :) and for the record, moshbat tested a program I wrote that does this same thing :)
Gr33dy on December 28 2007 - 09:07:40
Lol tried it but Access Denied lol , using XP Pro as a Limited User :/
Mouzi on December 28 2007 - 11:42:11
But isn't there other ways too? I remember something about replacing screensaver with cmd or something like that.
DigitalFire on December 29 2007 - 06:07:30
now thats an article. write more man! :happy:
Phantomchaser on December 30 2007 - 14:30:59
Nice article. I use this at work quite frequently. It's nice to see it laid out so neatly. Well done. :)
Skunkfoot on December 31 2007 - 03:58:19
I used to use /interactive cmd.exe too and then just restarted explorer.exe from the new cmd window, but I was like, "Hey, I'm just restarting explorer.exe, why not just do that interactively?" and it worked ^^ and yeah, I've heard of other ways to do this too, but I'm not familiar enough with any other method to write a decent article about it. Maybe one of you can write an article on a different way to do this. :) (but if you do, please make it thorough...I hate bad articles...)
korg on January 01 2008 - 03:24:26
Very old hack for XP, What rock did you find this under. Don't tell me you just found this because it's everwhere. Problem being you need to be log into an admin account, You can't access anyones personal documents or settings, And last you can't do anymore than the admin of the computer so basically this is useless. People who have tried this try it under a guest account. Not gonna happen.
korg on January 01 2008 - 03:26:20
Any one that rated this as awesome is a Noob in XP.
korg on January 01 2008 - 03:30:06
Fuck! not done yet the at cmd is used for a lot of things. Learn how to use it and don't disable it.
ThorsDecree on January 01 2008 - 07:48:32
wonder who rated it poor? :p
Zephyr_Pure on January 01 2008 - 16:14:20
I think that the article would have been better if it explained SYSTEM (and the other users / groups) a bit more thoroughly and possibly addressed either more with the AT command or more basic privilege escalation "exploits" in XP. Also, you're not going to get "h4x0red" with this, unless the perpetrator has physical access (in which case all bets are off). korg, I agree that there are better methods of circumventing account restrictions; in fact, most of them do not even involve admin access. However, I have to ask: If SYSTEM can do everything an admin can do, then why can't you access personal documents by taking ownership? As for the settings part, I guess that depends on which settings you're trying to access.
korg on January 01 2008 - 19:21:08
System or Admin accounts cannot access your personal files and folders if you tweak them to be stored only in your user account profile. That way only you can access them. Sorry I should have been more clear I thought most people knew how to protect personal items. Maybe I'll do an article on it. Be quite lengthy though. @Zephyr I knew you would respond to this article.
DigitalFire on January 01 2008 - 21:59:40
Well, it does have some uses. logged in as an admin, there was a process that would produce "Access denied" when i tried to end it. But using the at command, i managed to kill it. also you can boot regedit in the same way, yatta yatta. just kind of interesting. Korg if you have better privalege escalation techniques please write an article :happy:
DigitalFire on January 01 2008 - 22:09:21
and yeah, you do have to be admin. so i guess its not that useful after all. still interesting tho.
korg on January 05 2008 - 03:22:24
Yes I do have a lot better privalege escalations and securing your profile technics. I will write an article when I get some time, But I have a whole binder filled with XP shit.
Skunkfoot on January 06 2008 - 08:14:59
@korg: no, I didn't just find this, but I was bored and decided to write an article. And the ratings are for the article itself and how helpful it was, regardless of what it's about. I didn't say this was something amazing that everyone needs to know, but I think it could be helpful to some people, and that's why I wrote the article. If you don't like it, then that's your choice, and I'm not about to criticize you for doing what you think is right. If you have a "better" method, please write an article on it, I'd love to learn it. @zephyr: as always, thanks for the constructive criticism, maybe I'll edit it to include more of that stuff. And yes, I realize that it's not much more useful than being able to create your own admin user, but that's still a pretty handy piece of knowledge to have, don't you think?
Zephyr_Pure on January 13 2008 - 06:04:51
It is a handy piece of knowledge, skunk. Of course, korg, you know that you and I shall respond to every article about XP... ever. We have the most vested interest in it. lol As for your last comment about "storing only in account profile", I haven't seen a folder yet that could not be taken ownership of... including personal profiles. I have had to use that technique to recover sensitive data from terminated employees before, and it has included Administrator-level accounts. Of course, if System can't do it, then System could at least create an Administrator-level account that could then take ownership, right? I enjoy these speculations... there should be a forum dedicated to XP.
Durty1425 on January 13 2008 - 18:04:39
:happy: Awesome. Thanks. I learned something new. You should of included how to disable the "at" command too though.
korg on January 15 2008 - 09:35:05
@Zephyr_Pure. Look into lock folder XP. It will password protect and hide folders from anyone till you unlock it. Great program I hide my important sensitive data (porn links) in a folder and name it something like a windows system, IE: krgwin. Then bury it in the windows folder deep. Then apply lock folder to it. Don't use some of the cheap programs like hidefolder or folderguard etc. Because they create a reg. value and store your password and folder location. Usually in a 1 letter jump. These programs are easy to break and copy folder contents. Just some insite.
DigitalFire on February 01 2008 - 05:08:53
porn? theres porn on the internet? :happy: korg you should write articles :D
ThorsDecree on February 20 2008 - 20:53:31
They locked 'at' on my school's computers, so I can't get privs and fix a virus on a friend's flash drive :\ Format is blocked :D and I have no third party software on my own drive.
onejerlo on January 04 2009 - 09:33:34
Doesn't work on my comp....... I dont know why....but when I try to use it on my comp....It merely says....access denied (I'm an admin...but have guest like rights until I specially demand admin rights...so the tests good) thats probably the result of UAC settings.....But I dont know for sure....Know any way I can get by this glitch???
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.
Ratings
Rating is available to members only.

Please login or register to vote.
Awesome! 67% [6 Votes]
Very Good 11% [1 Vote]
Good 11% [1 Vote]
Average 0% [No Votes]
Poor 11% [1 Vote]
Guest
Username

Password

Remember Me


Bookmark This Page
Affiliates
Adverts

 

 

Links

Anime Wallpaper Site
By using, viewing or obtaining any information contained on this site, you agree to the disclaimer.

© HellBound Hackers 2008- 2009. Since 3rd December 2004.

20562632 Unique Visits

Powered by HBH-Fusion