Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: XP SP2 Power User -> Administrator

  1. #1
    Just burned his ISO
    Join Date
    Feb 2008
    Posts
    3

    Default XP SP2 Power User -> Administrator

    Evening all,

    What started as a small challenge is now causing me to rip my hair out! So, I fired up an old virtual machine I had lying around and after several attempts realised that I had forgotten the Administrator password. However, I logged in as an account that for some reason had been made a Power User (no idea why). I then think, this would be a good challenge, try and get administrator privileges.

    A quick Google and things are looking good everyone is talking about how easy it is, but 4 hours later still no luck. Then I discover Metasploit, another 5 hours later with red eyes and still no luck. I am now posting on here in a bid that someone might be able to give me some pointers or a method by which this can be done. Here is what I have tried:-

    1. Copy cmd.exe to admin.scr, set admin.scr as the Screensaver and voila I get a prompt. Unfortunately it is still running as the power user.

    2. Rename C:\WINDOWS\Sytem32\utilman.exe - Access Denied

    3. at 20:20 /interactive cmd.exe - Access Denied

    4. sc config ServiceName binPath= C:\WINDOWS\System32\cmd.exe - Access Denied

    5. Edit HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Image File Execution Options - Access Denied

    6. I have tried the windows/smb/MS08_067_netapi exploit but it fails.

    7. Used Metasploit to construct a executable that connects back and gives me a meterpreter prompt, however, this runs as the power user and not an Administrator so I am still limited.

    Hopefully by posting the above people can see I have actually tried to work this out myself!! Please note I am aware that I can just boot the VM with BackTrack and dump the SAM or rename utilman.exe but that is no fun

    What would other people do next?

    Regards

  2. #2
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Easy, even I can see 2 ways:

    7. Used Metasploit to construct a executable that connects back and gives me a meterpreter prompt, however, this runs as the power user and not an Administrator so I am still limited.
    From here, use hashdump to dump your administrator password and crack it (even online cracking is available)

    Secondly, download ophcrack iso image for XP, make bootable CD, boot from CD and it will do rest of the business..........
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  3. #3
    Junior Member AnActivist's Avatar
    Join Date
    Apr 2009
    Posts
    77

    Default

    Don't forget to load the Priv module before you hash dump:
    Code:
    meterpreter > use priv
    meterpreter > hashdump

  4. #4
    Just burned his ISO
    Join Date
    Feb 2008
    Posts
    3

    Default

    Quote Originally Posted by kazalku View Post
    Easy, even I can see 2 ways:



    From here, use hashdump to dump your administrator password and crack it (even online cracking is available)

    Secondly, download hxxp://ophcrack.sourceforge.net/download.php iso image for XP, make bootable CD, boot from CD and it will do rest of the business..........
    Thanks for the rapid response, much appreciated. Unfortunately hashdump fails because the meterpreter only has Power User rights, because the executable is executed as a Power User. This method would normally work because most people just run as Administrators.

    Regards

  5. #5
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    I thought hashdump is enabled by default..... may be on the latest update of msf..... not sure....... anyway, under meterpreter type "?" without the ""....... if you find the command hashdump..... use it.. otherwise.... just do as AnActivist said: use priv

    Edit: You just posted 1 second before me........., well, go for the CD method then...
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  6. #6
    Just burned his ISO
    Join Date
    Feb 2008
    Posts
    3

    Default

    Yes, when I tried with meterpreter I had to use the 'use priv' command first. I'm really looking for a way to do this without just booting from a Live CD, thats easy and doesn't require any thinking

    I'll keep trying, although I am surprised how difficult this is.

    Regards

  7. #7
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    It's not that hard actually, once you've got a meterpreter session, the box is almost yours. You need to "acquire" administrative priviledge, there are ways. Give it some time, search, learn, you will be on the goal. And it's all fun...
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  8. #8
    Good friend of the forums
    Join Date
    Feb 2009
    Posts
    356

    Default

    the key word here would be "privilege escalation"

  9. #9
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Would be easier to just wipe out the administrator password.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  10. #10
    Good friend of the forums
    Join Date
    Feb 2009
    Posts
    356

    Default

    or use konboot to just log into it...

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •