Re: priviledge escalation techniques

• Previous message: Marco Ivaldi: "Re: Discovering users by RCPT TO"
• In reply to: Eyal Udassin: "RE: priviledge escalation techniques"
• Next in thread: Thor: "Re: priviledge escalation techniques"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 22 Jan 2005 20:36:13 +0100
To: "Eyal Udassin" <eyal@swiftcoders.com>

On 22 Jan 2005, at 09:20, Eyal Udassin wrote:

> Hi,
>
> The easiest way to perform privilege escalation on windows, whatever
> version, is to list the executables in the
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> registry
> key. All of these executables are run under SYSTEM.
>
> Once you get hold of that list, see if you have write permissions to
> replace
> the original executable with your own. Don't forget to execute the
> original
> from your code, or otherwise you may cause the system to become
> unstable.
>
> I had a client which had such a key pointing to an old printer
> installation
> utility which no longer existed, in an unprotected directory outside of
> "program files". That was the beginning of the end of the pentest :-)
>
> If all the files can't be overridden, try to boot with command line
> only and
> replace them. Another approach is to remove the hard drive and perform
> the
> switch on another computer, with the victim HD as a secondary drive.
>
> Eyal Udassin - Swift Coders
> POB 1596 Ramat Hasharon, 47114
> 972+547-684989
> eyal@swiftcoders.com - www.swiftcoders.com

Or you can use a linux live cd that supports NTFS read/write
operations. If have already tested KANOTIX and the captive-ntfs
filesystem (which used the windows drivers to read/write on ntfs)

regards

--
Pieter Danhieux, CISSP, GSEC

• Previous message: Marco Ivaldi: "Re: Discovering users by RCPT TO"
• In reply to: Eyal Udassin: "RE: priviledge escalation techniques"
• Next in thread: Thor: "Re: priviledge escalation techniques"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]