Re: priviledge escalation techniques

[Pieter Danhieux <pdanhieux () easynet be>]

On 22 Jan 2005, at 09:20, Eyal Udassin wrote:

> Hi,
>
> The easiest way to perform privilege escalation on windows, whatever
> version, is to list the executables in the
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
> registry
> key. All of these executables are run under SYSTEM.
>
> Once you get hold of that list, see if you have write permissions to 
> replace
> the original executable with your own. Don't forget to execute the 
> original
> from your code, or otherwise you may cause the system to become 
> unstable.
>
> I had a client which had such a key pointing to an old printer 
> installation
> utility which no longer existed, in an unprotected directory outside of
> "program files". That was the beginning of the end of the pentest :-)
>
> If all the files can't be overridden, try to boot with command line 
> only and
> replace them. Another approach is to remove the hard drive and perform 
> the
> switch on another computer, with the victim HD as a secondary drive.
>
> Eyal Udassin - Swift Coders
> POB 1596 Ramat Hasharon, 47114
> 972+547-684989
> eyal () swiftcoders com - www.swiftcoders.com

Or you can use a linux live cd that supports NTFS read/write 
operations. If have already tested KANOTIX and the captive-ntfs 
filesystem (which used the windows drivers to read/write on ntfs)

regards

--
Pieter Danhieux, CISSP, GSEC