How can i gain admin powers on this machine?
now that i have a reasonable question to ask…. sorry if i upset anybody with my noobiness D=
how can i gain admin powers (or at the least, normal user powers) on this computer at my school? it's running a very limited version of windowsXP Pro (SP2 i do believe) that logs me in to a main server. pretty much everything is locked down. i dont have a desktop (no icons, nothing) and i cant even right click. that's the most annoying part i can, however, open command.com, but i cannot launch folders (start C:\) and i cant get to program files (it doesnt count spaces?) i can also create shortcuts to programs and such as long as i know the file name. i shut down Vision this way =D
i can program pretty well in java (CS4 AP) if that counts as anything. which it probably doesnt
so yeah, please excuse my noobiness, but could anyone point me in some sort of a direction? maybe what to explore? i really have no clue where to start and im growing tired of not having the right click :(
sToRm_seveN wrote: errrrr
how does a school computer not allow you to view the desktopQ?
By not showing desktop icons through a GPO.
A key thing to remember about command.com is that it is a legacy command prompt; that is, it is the DOS version for compatibility, not the XP command prompt that everyone is used to. That being said, it may or may not support the "at" command; don't know, don't remember, so try it. Other than that, you don't have many options… check out Task Manager (if you have access to it) or try to access some MMCs. Other than that, you're going to want to attack it from outside of the GPO'd environment (Safe Mode, LiveCDs, etc.).
Be creative, explore everything you have access to, and work from there.
Dude.. It's WinXP, use the SYSTEM exploit.. It's the most common, and if you don't know sh*t about computers, then you can buy a pre-made auto-exploit from my website.. hehe http://jbjoker.awardspace.com
Yachi wrote: Have you tried winkey+r and cmd? Also when your doing stuff with spaces use ""
C:\"Program Files"\ or "C:\Program Files\some folder\"
Weird that none of you knew simple dos stuff :P
If he's using command.com he's limited by the 8.3 filenaming system (8 characters with a 3 character extension). Meaning if he wants to access the program files it will need to be cut down to 6 characters with two added for indexing, so instead of: cd Program Files or cd "Program Files"
He will need
cd PROGRA~1
The "1" is an index just in case you have two or more files that start with the same six characters. With a file the number would go before the extension like "EXAMPL1.TXT".
Just boot a live cd, dump the sam, and crack the admin password. There are tutorials all over on using live cd's to get the administrator password in xp. It is very simple and the tools are free. If you want to be less conspicuous about it rather than use a cd you could install a live cd to a jump drive and try booting from that.
Some simple things you can try while logged in:
toggling various services on and off open regedit open mmc try adding the gpo editor snap-in for the local machine adding simple batch files to the all users startup
things i've tried that do not work: ctrl shift esc - "restricted by admin" win r - also restricted live cd (or any cd) - cd drive is either broken or disabled - i could try booting from a flash drive i guess services - no admin powers, cant change anything regedit - blocked i have yet to try safe mode. i wont really have a chance to use it until i get a sub
i can use the killtask command in command.com, but i dont really have anything i'd like to shut down… any ideas?
what about adding a task to C:\WINDOWS\Tasks? what would i add and how? i could add something with command.com i guess
im going to try C:\WINDOWS\System32\cmd.exe tomorrow. thats the actual dos prompt, correct? from there i should be able to try the XP commands like AT or w/e was mentioned before.
basically, i'd love to be an admin/normal user so i can right click! i'd also love it so i can use that as a launch pad for something else (idk what else, but something im sure =D)
Alot of times they forget about your browser. If you want to see the file system, perhps maybe even stumble upon some nice pass files, open up a browser and type C:/ and if you don't get a full index of C;? try File:///C:/ Sometimes it works, sometimes it doesn't. Not even letting you right click? daaaaamn. But ya, that would let you see file systems on many machines.
Phantomchaser wrote: Just boot a live cd, dump the sam, and crack the admin password. There are tutorials all over on using live cd's to get the administrator password in xp. It is very simple and the tools are free. If you want to be less conspicuous about it rather than use a cd you could install a live cd to a jump drive and try booting from that.
Password aren't store on the computer if you have connect to a specific server that isn't the computer in itself. I had a network like that at my school.
Flaming_figures wrote: Alot of times they forget about your browser. If you want to see the file system [removed garbage] open up a browser and type C:/ and if you don't get a full index of C;? try File:///C:/ Sometimes it works, sometimes it doesn't.
Listen to this man. And, if it doesn't work on their browser, just bring your own.
Normally I wouldn't care, but, your school sounds kinda, nazi-ish. >=[
Dont read the articles tho… too many of them are about your question. u'd end up spending about 15 mins reading them all… yes its that crazy. So i'll just go ahead and PM you the admin password for your school, Send you some packet catching software, and burn you some OPH disks I'll also PM you my cell number so i can spell out every word you need to type and command prompt to elevate your user rights or make your own admin account. (all that copying and pasting will probably be to much strain on your index figure).
Hacking a computer you have physical access to… its hard to not be able to do that. im sorry but… you have cmd, you might as well own the system
tonzofgunz25 wrote: YOU NEED TO MODIFY THE BIOS BEFORE INSERTING LIVE CD. schools dont buy a bunch of computers with broken cd drives just so noone will put in a linux disk.
the drive wont even open when i press the button. i can put a paperclip into the hole and force it, but when it closes, it doesnt register that it's actually there.
DarkAardvark wrote: things i've tried that do not work: ctrl shift esc - "restricted by admin" win r - also restricted live cd (or any cd) - cd drive is either broken or disabled - i could try booting from a flash drive i guess services - no admin powers, cant change anything regedit - blocked
Task Manager can be disabled completely through a GPO setting, regardless of what shortcut you like to use (Ctrl+Alt+Del, Ctrl+Shift+Esc, Run+"taskmgr", etc.). Run command is also easily disabled. CD drive is probably set at a lower boot priority in the BIOS; if they have a BIOS password, you could pop open the case and pop out the CMOS battery. MMCs and regedit are, yet again, easily blocked with a GPO setting.
i have yet to try safe mode. i wont really have a chance to use it until i get a sub
If there's a local admin password (likely), then Safe Mode will be useless until you crack the SAM.
i can use the killtask command in command.com, but i dont really have anything i'd like to shut down… any ideas?
Remote control software, if they have any. Other than that, pretty well useless.
im going to try C:\WINDOWS\System32\cmd.exe tomorrow. thats the actual dos prompt, correct? from there i should be able to try the XP commands like AT or w/e was mentioned before.
It's not the "actual DOS prompt"; it's the Windows XP emulation of a DOS prompt. There hasn't been a real DOS prompt since Win98. Oh, and cmd.exe… is also disabled quite easily through GPO.
basically, i'd love to be an admin/normal user so i can right click! i'd also love it so i can use that as a launch pad for something else (idk what else, but something im sure =D)
Now, that, sir, is stupid.
Flaming_figures wrote: If you want to see the file system, perhps maybe even stumble upon some nice pass files, open up a browser and type C:/ and if you don't get a full index of C;? try File:///C:/ Sometimes it works, sometimes it doesn't.
One GPO setting disables viewing of the C: drive. If it doesn't work in Explorer, it won't work in a browser (unless the admin is a complete moron).
Arto_8000 wrote: Password aren't store on the computer if you have connect to a specific server that isn't the computer in itself. I had a network like that at my school.
Having a computer that authenticates to a domain controller doesn't mean that there aren't any important passwords on the computer. There still has to exist a local admin account, after all; also, it's very common for admins to use the same local admin password for one computer as they do for all of them. Needless to say, booting to a LiveCD with SAM-cracking capability is still a powerful threat.
Phew! Bring 'em on! I love Windows privilege escalation techniques. ;)
DarkAardvark wrote: the drive wont even open when i press the button. i can put a paperclip into the hole and force it, but when it closes, it doesnt register that it's actually there.
Does the light flash on the front of the CD drive? If not, the CD drive is unplugged. If so, try pressing F10 when the computer boots up (before Windows) to choose the boot device; however, if they have a BIOS password, this will also fail. See my previous post on how to conquer the BIOS password.
Zephyr_Pure wrote: Remote control software, if they have any. Other than that, pretty well useless.
yeah, i disabled Vision within a day in that class.
It's not the "actual DOS prompt"; it's the Windows XP emulation of a DOS prompt. There hasn't been a real DOS prompt since Win98. Oh, and cmd.exe… is also disabled quite easily through GPO.
yeah, i know its not the "actual dos prompt," but i meant it's more of a dos prompt than the command.com
Now, that, sir, is stupid.\
XD i know
Having a computer that authenticates to a domain controller doesn't mean that there aren't any important passwords on the computer. There still has to exist a local admin account, after all; also, it's very common for admins to use the same local admin password for one computer as they do for all of them. Needless to say, booting to a LiveCD with SAM-cracking capability is still a powerful threat.
Phew! Bring 'em on! I love Windows privilege escalation techniques. ;)
what about…. through cmd.exe net user jdoe bakery /add net localgroup administrators jdoe /add i'd probably make the user name jsandusky or something b/c it sounds more like an actual teacher's name.
if it works, what could i do on the local admin acct? actually, i want to do something like this http://jollyblog.squarespace.com/updates/2006/6/5/windows-xp-privilege-escalation-exploit.html ill give it a try tomorrow, granted i dont have too much work to do in the class
what about…. through cmd.exe net user jdoe bakery /add net localgroup administrators jdoe /add i'd probably make the user name jsandusky or something b/c it sounds more like an actual teacher's name.
Wrongo. You have to be an Administrator in order to sucessfully run those commands. Guess what you aren't?
DarkAardvark wrote: yeah, i know its not the "actual dos prompt," but i meant it's more of a dos prompt than the command.com
No, that's what I mean… command.com is more of a DOS prompt than "cmd". What you're referring to is that "cmd" has a more versatile command set.
what about…. through cmd.exe net user jdoe bakery /add net localgroup administrators jdoe /add i'd probably make the user name jsandusky or something b/c it sounds more like an actual teacher's name.
All of the net commands that add users or modify a user's groups require admin rights. CRUNCH
if it works, what could i do on the local admin acct?
Anything you want… on the local system. Could provide a springboard for attacking the network.
actually, i want to do something like this http://jollyblog.squarespace.com/updates/2006/6/5/windows-xp-privilege-escalation-exploit.html
This is the Task Scheduler technique that others have mentioned previously. You can try it… even from within a batch file, if cmd is unreachable. Neither are guaranteed to work, but it's worth trying. Good luck.
DarkAardvark wrote: LOL on a scale of 1 to 10, how nub am i?
Don't EVER ask anyone that. :angry:
actually, now that i understand this whole reading concept, i want to try this too! http://www.it.iitb.ac.in/~sudhir/Hacking/Win_XP_Hack.html it probably wont work, seeing how this is outdated and everything on my comp is in lock-down.
thanks to you guys, reading, and the power of google, i actually feel as though i have an idea as to what im doing (kinda not really)… yeah… ill try all of this tomorrow and report my findings =D
DarkAardvark wrote: actually, now that i understand this whole reading concept, i want to try this too! http://www.it.iitb.ac.in/~sudhir/Hacking/Win_XP_Hack.html it probably wont work, seeing how this is outdated and everything on my comp is in lock-down.
Well, it may be a bit outdated, but the reason why it wouldn't work isn't related to that. Once again, it falls back to the lack of admin rights / sufficient privileges. It's doubtful that you would be able to create / delete anything in the System32 folder with a limited account.
thanks to you guys, reading, and the power of google, i actually feel as though i have an idea as to what im doing (kinda not really)… yeah… ill try all of this tomorrow and report my findings =D
Good job… there is hope for this place yet. Look forward to hearing your results.
sToRm_seveN wrote: errrrr
how does a school computer not allow you to view the desktopQ?
also, try looking up about the short file paths that dos uses (i.e. C:\Program Files = C:\PROGRA~ if i'm not mistaken (i may be!))
heheh escape the space, or use ""'s
ie cd c:\"Program Files" or cd c:\Program\ Files
EDIT: you can msn me about this if you want, though i'm not on very often atm.
DarkAardvark wrote: i can, however, open command.com, but i cannot launch folders (start C:\ and i cant get to program files (it doesnt count spaces?)
richohealey wrote: heheh escape the space, or use ""'s
ie cd c:\"Program Files" or cd c:\Program\ Files
EDIT: you can msn me about this if you want, though i'm not on very often atm.
Will not work in command.com, see my previous post for working with 8.3 file names.
ive got a similar problem now. running netware windows client, realvnc occasionally pops up if youre being logged, the system is 100% acessible but no standard exploits work, deep freeze is installed and booted with system account from a remote server so cracking it isnt possible. im going to try port scanning locally soon but anyone got any ideas? btw BIOS is passworded.
cmd.exe is locked and i can't edit anything in system32. the bios, however, is not passworded, so i can bring in a linux live-CD distro on a flash drive (cd drive doesnt work at all, even if i boot from it) i can also boot in with safe mode. im avoiding both safe mode and a live-cd on a flash drive until i have a sub (it's pretty hard to disguise safe mode and linux if/when the teacher walks by) so……. i guess the only real option for me now is to wait for a sub to come along
actually, one of my friends just told me that i can open notepad, go to save as, type in c:\\ to get to the c drive. from there, i can probably navigate to system32\config\sam (or the backup at least) and copy it to my flash drive. if i cant do that, then i'll just wait for a sub
DarkAardvark wrote: actually, one of my friends just told me that i can open notepad, go to save as, type in c:\\ to get to the c drive. from there, i can probably navigate to system32\config\sam (or the backup at least) and copy it to my flash drive. if i cant do that, then i'll just wait for a sub
Nope. You can't touch the SAM file, system will be using it when you're logged on.
jbjoker wrote: Dude.. It's WinXP, use the SYSTEM exploit.. It's the most common, and if you don't know sh*t about computers, then you can buy a pre-made auto-exploit from my website.. hehe http://jbjoker.awardspace.com
Hmm "http://jbjoker.awardspace.com/indexx.html" Looks like Reapers Pwn code for HBH //_() *Bust
i looked through the thread and i dont think anyone has said anything about SE'ing and dont bother pointing it out fif im wrong as i dont really care.
Try shoulder surfing if you get the chance ( looking over his shoulder an dwatching him type the pass) i used that to get my admins pass when i was at school.
If your admin is not very intelligent then you could try guessign a few passes but thats not likely to work as most admins arnt as dumb as the one i had at school (user:administrator password:martin which is his 1st name)
If your really desperate you could buy one of those little usb keyloggers.
sometimes teachers dont have admin privs but they do have a lot more privs than a normal student so if you shoulder surf an older teacher who types slower r something and see what you can do from there as most school admins expect attacks from the students not from teacher accounts.