Administrator Control

From Hak5

Contents 1 Local Administrative Priviledges: The Sparda Way 1.1 Step 1 1.2 Step 2 1.3 Step 3 1.4 Step 4 1.5 Step 5 1.6 Step 6 1.7 Step 7 1.8 Replacing A File Without Permission

Local Administrative Priviledges: The Sparda Way

(For Windows XP, 2000 & 2003, (Does not work on Vista))

This is achievable in several ways; one way is to use auditor to crack the admin password, but that isn't the only way of course. I find this method works a lot of the time but it depends on how the file permissions are configured.

Step 1

We need to analyse the file system permissions, go to "C:\Program Files\<any directory except common files>" and try to create a file there. If you can then this might work!

Step 2

We now need to check for third party services. Open services.msc and look for any non-Microsoft services. A lot of schools' and companies' computers will have some kind of anti-virus software installed.

Step 3

Once you have located a non-MS service try and stop it, then try and start it again. If you can stop/start the service then this will probably work!

If there are none then the computer is probably vulnerable to viruses but you might be able to use the print spooler service instead.

Step 4

Look at the properties of the service and make a note of where its executable is.

Step 5

Now we need to write a small program, write it in any language of your choice so long as it can be compiled to run as a standalone exe. Here is the code for the program in C++:

 #include<iostream>
 using namespace std;
 
 int main()
 {
 system("taskmgr");
 return 0;
 } 

If you don't understand what that code does, then you probably shouldn't be reading this tutorial, but all this program does is run task manager.

Java code:

 import java.io.IOException;
 
 public class TaskMgr
   {
 	public static void main ( String arg[] )
 	  {
 		try
 		  {
 			Process p = Runtime.getRuntime().exec ( "taskmgr" );
 		  }
 		catch (IOException ohdear)
 		  {
 			System.out.println ( "Error: " + ohdear.getMessage() );
 		  } 
 	  }
   }

Step 6

Now here is the clever bit: Remember that file path we wrote down somewhere? Go there in Explorer and rename the file to what ever you want (but don't forget its original name). It might be a good idea to make a backup of the original file with the same name but with a different extension... .bak perhaps. Now put your program (which you will have compiled to a standalone exe) in that directory and give it the same name of what the exe you just renamed used to be called.

Step 7

Restart the service that points to that exe and hey presto you have task manager running as system! You now have total control, just go File > Run and run what ever you want!

Be sure to put everything back and delete all evidence of our little achievement.

Replacing A File Without Permission

Recovery Console.

NOTE: You can simply copy taskmgr.exe (located in the system32 directory), but the problem with this is when windows realises that the service isn't responding, it will kill task manager (but not any programs it started), so it's best to use another program to start task manager so it doesn't get killed when the service times out unless you only want it for a short time (I believe the time out is 30 seconds).