Full Disclosure mailing list archives
Re: Abusing Windows 7 Recovery Process
From: some one <s3cret.squirell () gmail com>
Date: Mon, 8 Jul 2013 20:47:31 +0100
Errrr The user wasn't there never mind him being admin... I'll test this out again when i next do a win7 review on a job On 8 Jul 2013 11:39, "Fabien DUCHENE" <f.duchene () car-online fr> wrote:
There may be an Active Directory domain policy which only allows a configured set of groups/users to be admin of your workstation. Keep in mind domain policies are applied at startup and periodically.Message: 1 Date: Mon, 1 Jul 2013 15:16:45 +0100 From: some one <s3cret.squirell () gmail com> To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Abusing Windows 7 Recovery Process Message-ID: <CA+1kKf460FE0uo7ps780N3f=gFh8G=i0+o1yR5w1uPocZUbVwg () mail gmail com>Content-Type: text/plain; charset="iso-8859-1" I tried this out onsite today. Got the cmd.exe as described and added a user into local admin group... Restart the box try and login as new user and it isn't there... Logged in as a legit admin and ran net users and no mention of my created account... Weird... On Jun 30, 2013 10:54 AM, "Cool Hand Luke" <coolhandluke () coolhandluke org>wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 06/29, Grandma Eubanks wrote:However, I think this is still interesting. It's been a while sinceI'veplayed with Windows boxes and won't have access to one for a coupledays,but isn't this triggering off of vendor supplied recovery partitions?Thisis a regular Windows 7 sole partition box you tried this one?from a first look, i don't think a vendor-supplied recovery partition is necessary. it appears that it would also be possible if the "system restore" setting was enabled (but don't quote me on that). i'm not sure how likely that is in your average large, corporate environment. the ones i've seen have system restore disabled and opt to reimage systems instead when issues occur. i'm sure there are some environments where this could be useful, however. - -chl - -- cool hand luke
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Abusing Windows 7 Recovery Process some one (Jul 01)
- <Possible follow-ups>
- Re: Abusing Windows 7 Recovery Process Fabien DUCHENE (Jul 08)
- Re: Abusing Windows 7 Recovery Process some one (Jul 08)
- Re: Abusing Windows 7 Recovery Process Chris Arg (Jul 09)
- Re: Abusing Windows 7 Recovery Process sec (Jul 08)
- Re: Abusing Windows 7 Recovery Process some one (Jul 10)
- Re: Abusing Windows 7 Recovery Process Gregory Boddin (Jul 10)
- Re: Abusing Windows 7 Recovery Process some one (Jul 10)
- Re: Abusing Windows 7 Recovery Process adam (Jul 10)
- Re: Abusing Windows 7 Recovery Process some one (Jul 10)
- Re: Abusing Windows 7 Recovery Process Alex (Jul 12)
- Re: Abusing Windows 7 Recovery Process Chris Arg (Jul 12)
- Re: Abusing Windows 7 Recovery Process Alex (Jul 13)
- Re: Abusing Windows 7 Recovery Process some one (Jul 08)