House of Hackers

d@v|d

How To; Windows XP local Privlage escalation reasearch. [using the "at" cmd]

I wrote this my freshman year. I thought perhaps someone here will find it useful. I don't know if these techniques work in Vista. If anyone does please drop me a line For research on your own computer only. This could cause permanent problems with windows.
[It permanently caused the "Bliss" desktop to flash at boot time on my computer]

Think before you hack ...[ Am I sure this Computer/IP doesnt belong to a Hospital!?]

Windows XP local Privilege escalation [using the "at" cmd]

This local exploit uses the "at" command to open an interctive (or root) shell (With or without a root or admin account.)
I then Show how this root shell can be used to open a new explorer process with system level privileges.
The real hack is that the "at" command can be used to open a "interactive" shell " at" a given time.
(Think a shell script that defragment's the hard drive "at' 7;00 pm and you should understand the "at" command quite well.
Keep in mind that the at command is not an exploit itself, I have been told that the ability to open a interactive shell with a non admin account this is a lesser known debugging feature built into X.P. on purpose. (Wouldn't surprise me.)
The "at" command can be disabled by the Admin account. If that's the case this hack won't work.

OK here we go;
(Code samples in Red)

Open a cmd prompt and type: at (24 time+1min ahead of real time) /interactive "cmd.exe" .
The Command should look like this: at 15:25 /interactive "cmd.exe"complete the command.
At the time you specified a second cmd prompt will open this one is svchostcmd32 or a "root shell" leave this open.
Open the task manager. In the task manager kill "EXPLORER.EXE"
The screen will blank except your cmd shell's will still be there.
In the root shell type explorer.exe
Explorer starts like its the first time you booted this copy of Windows and try's to give you the tour of X.P.
Now look at the start menu, The User name shown at the top should be displayed as "System" [ That's the best part!]
You now have the window manager "Explorer.exe" running with root privileges.
(Don't put "windows" folder in trashcan for god's sake;)

* CODE SAMPLE in red: at 15:25 /interactive "cmd.exe"
Wait for your "/" shell to open at the given 24 hour time.
(15:25 represents 24 hour time for 1 minuet ahead of YOUR current time.)
kill explorer.exe via task manager.
Then in the new "/" shell type explorer.exe



2 ways to spawn a command shell when cmd is locked down.

1) Open a text file write "command.com" save it as "CMD.bat" opening this will spawn a shell.


2) In Windows Calculator go to help\help topics\ hit the ? on the top of the window and "jump to url"

* then enter file:///c:/windows/system32/cmd.exe this will spawn a cmd shell.

Share 

Add a Comment

You need to be a member of House of Hackers to add comments!

Join this Ning Network

cybernet alien Comment by cybernet alien on November 16, 2009 at 5:26pm
about to try that trick on win XP sp2...
Juza Comment by Juza on August 13, 2009 at 1:52pm
Works fine for me (Win Xp sp3). Good Job!
dozzyjean Comment by dozzyjean on April 16, 2009 at 11:11pm
i was using the at command on my window vista it was telling me access denied,so i know really love to know how to start with getting things to work.
Can any body please tell me work to do to start the interactive shell with the at command?
nookkin Comment by nookkin on March 4, 2009 at 6:27am
The Bliss wallpaper flashing on the desktop during startup is due to the fact that the login desktop is run in the SYSTEM account. The moment you first run Explorer as SYSTEM, a new user profile based on the one in "c:\documents and settings\default user" is created. That's when the Bliss wallpaper is set.

I used this trick to customize the (classic) login desktop (i.e. change theme, colors, wallpaper, etc.) Just open Display Properties and set it up as you wish. If you're using the Welcome screen, you will only get a brief glimpse of the desktop.
vnsec Comment by vnsec on March 2, 2009 at 2:04pm
Try this, man! http://freereverseip.com
==>The best service to find all websites on a host
And more...
Haverlok Comment by Haverlok on January 19, 2009 at 3:02am
Eso es para elevar privilegios de Administrador a System.. quiere decir que debes ser administrador primero :P


That is to raise a System Administrator privileges .. means that you must be an administrator first: P
d@v|d Comment by d@v|d on January 9, 2009 at 10:22pm
@Maxx
Heres a play by play with screen shots of the "Jump to URL" option being used in Vista.
My Blog
Hope this helps
Stuffe Comment by Stuffe on January 9, 2009 at 11:41am
Or just copy paste cmd.exe and rename it "cmd.scr". Windows runs "screansavers" as SYSTEM. But either way, you wont get SYSTEM unless you already have admin
Maxx Comment by Maxx on January 8, 2009 at 12:49pm
Hi d@v|d, excellent post.
HOwever, am still not able figure out the 2) In Windows Calculator go to help\help topics\ hit the ? on the top of the window and "jump to url" -----trick
Plus, i logon in LAN in a domain, and all i get on shell is the z:/, so i guess windows calculator trick propapbly can help me here in getting a c:/ shell which is otherwise acess denied. Help me
univax Comment by univax on January 5, 2009 at 5:33pm
Good article. I've used the "at" command exploit a couple of times in the past, but it's important to know like you already mentioned that it won't work if the Admin has disabled it.

Neat trick with the Windows Calculator. I didn't know that one before. Trying a few things I see that it also works with games like Winmine and Solitaire, since these exe files are also stored in the /system32 folder.

About

pdp pdp created this Ning Network.

© 2009   Created by pdp on Ning.   Create a Ning Network!

Badges  |  Report an Issue  |  Privacy  |  Terms of Service

Sign in to chat!