So rather than just focussing on holes in the Microsoft system, which frankly I'm not really talented enough to find much there, I decided to look at the configuration and implementation. In my opinion I would have much better luck looking for mistakes made by people not necessarily trying to secure a system but more trying to get a system to work.
In this post I'll focus a common mistake made by the guys who build the system which allows a standard user to escalate to have full system privileges.
Looking at Services
It would be nice to use WMIC to look for services that are in a directory that I can write to and that start automatically:
wmic service get name,startmode,pathname | find /i "auto"
However, when trying to run WMIC I get an error telling me that I need to be a member of the Administrators group. I could just go to the Services.msc but this means that I have to go through each service to get that path to the executable. A better tool I found for this is MSInfo32.exe
As can be seen in the screenshot I can quickly scan down the autostarted services for ones that have paths that I can write to. I also need the service to be running with an account with some decent privileges.
OK, VNC looks pretty good.
I go to the directory that VNC runs from and rename the executable. I copy Taskmgr.exe from System32 to the VNC directory and rename it as the VNC executable.
After a restart I see that I have no VNC in the system tray, so I go to the Services.msc and start it. Task Manager starts up for about a minute and then closes. Ok, that’s good. I start the service again and quickly launch a command shell before it closes, great now I have my system command shell. From here I can add accounts, change settings, install software etc... But maybe I want my full desktop. I launch Taskmgr.exe from the command shell, kill explorer from the process list and the launch explorer from File menu. Fantastic, I have a whole desktop running as System, now I really am closer to god!
