Re: priviledge escalation techniques

From: Pieter Danhieux (pdanhieux@easynet.be)
Date: Sat Jan 22 2005 - 14:36:13 EST


On 22 Jan 2005, at 09:20, Eyal Udassin wrote:

> Hi,
>
> The easiest way to perform privilege escalation on windows, whatever
> version, is to list the executables in the
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> registry
> key. All of these executables are run under SYSTEM.
>
> Once you get hold of that list, see if you have write permissions to
> replace
> the original executable with your own. Don't forget to execute the
> original
> from your code, or otherwise you may cause the system to become
> unstable.
>
> I had a client which had such a key pointing to an old printer
> installation
> utility which no longer existed, in an unprotected directory outside of
> "program files". That was the beginning of the end of the pentest :-)
>
> If all the files can't be overridden, try to boot with command line
> only and
> replace them. Another approach is to remove the hard drive and perform
> the
> switch on another computer, with the victim HD as a secondary drive.
>
> Eyal Udassin - Swift Coders
> POB 1596 Ramat Hasharon, 47114
> 972+547-684989
> eyal@swiftcoders.com - www.swiftcoders.com

Or you can use a linux live cd that supports NTFS read/write
operations. If have already tested KANOTIX and the captive-ntfs
filesystem (which used the windows drivers to read/write on ntfs)

regards

--
Pieter Danhieux, CISSP, GSEC


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:15 EDT