Trying to get admin privileges from a standard user

30 Lipca 2015

So recently I was at my grandma’s and she only had access to a low-privileged account, as my uncle had configured the system and set a password on the admin account. I figured it would be a nice challenge to get my hands on his password, or get higher privileges in some other way. One thing though, I had to achieve this without rebooting the device.

Attempt #1

The task scheduler allows to run programs as SYSTEM, but unfortunately it doesn’t work with Windows 7. Furthermore, when attempting to run at <time> /interactive cmd.exe</time> or just at I was getting an Access denied.

Then I read something about creating a service that would run cmd.exe but I still have to little knowledge about services, so I didn’t try it.

Attempt #2

There is a registry called SAM (Security Account Manager), which holds all the password hashes. And thanks to Wikipedia we know it is in %SystemRoot%/system32/config/SAM and that it is inaccessible when Windows is running. However it is also in registry under HKLM/SAM. So a quick jump to RegEdit and … Access denied.

I remembered one more thing: passwords are kept in plain text in LSA memory, which lead to the next attempt.

Attempt #3 - mimikatz

So there’s this great tool called mimikatz by Benjamin DELPY gentilkiwi. It’s available on github. One of it’s modules allows to infiltrate the protected memory of the lsass.exe process. I was hoping to be done soon. And then came the problem: Avast Antivirus. Yeah, I wasn’t even able to download mimikatz. Hopefully it’s possible with powershell: PS> (new-object System.Net.WebClient).DownloadFile( $url, $path ). But I downloaded a .zip file. And during extraction Avast was searching for viruses. And even when I isolated the file, Avast performed a scan at first run. I think it actually could be bypassed by having a clean program, anything, running it, having Avast check it and add it’s path to clean files, then renaming mimikatz.exe to this clean file, and then running it. I didn’t check that last part, I was too tired, but I’ll make sure to do it next time and see what can I get.