Local Privileges Escalation in WinXP

Did you know that you can escalate you can become the SYSTEM user on a WinXP box simply by using the at command? Try this at home:

at 11:45pm /interactive cmd.exe

You just scheduled a job that will pop up a new cmd window exactly at 11:45pm. Who is the parent of this window? Why SYSTEM of course. But we are not done yet.

Have the new cmd window up? Good. Now kill explorer.exe using the Task Manager. Yes, just kill it! Keep the new cmd window open though. Use it to run explorer again by typing in explorer.exe. Done!

You are now logged in as SYSTEM. You can now go ahead and do all the nifty admin things that you always wanted to do but your IT department wouldn’t let you. ;) You might get in trouble when they find out though. So, don’t go crazy with your newfound power.

If you still don’t believe me, here is a video that shows you how it’s done.

[tags]privilege escalation, windows xp, hax, system user, administrative privileges[/tags]

This entry was posted in sysadmin notes and tagged , . Bookmark the permalink.



One Response to Local Privileges Escalation in WinXP

  1. Pingback: Terminally Incoherent » Blog Archive » How do you lock down XP Home? UNITED STATES WordPress

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>