	              
                                                     
                                                       
               ۰߰     ܰ۰  
             ۱      ܱ߰    ۰
             ۱          ۱      ۰  
                 ܰ߱    ߰۲    
              Outbreak Magazine Issue #13 - Article 2 of 15
          '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'

"The anTrojan Filez 7"

How to do Privilege Elevation Using System Services
===================================================

CASE STUDY

Someone I know came to me asking how to get their Administrator
password back - he had  forgotten  it  on  his  home  computer.
However, he said he had a Power User login to  the  system.  It
was running Windows 2000 Professional.

The easiest way, I thought, was to make use of a  program  with
System or  Administrator  rights  to  reset  the  Administrator
account's password. The most common place to find programs that
run as privileged users are the system services.  So  I  looked
there for certain clues.

In, Control Panel, Administrative Tools, Services -  I  quickly
looked through the list to see if  any  services  were  set  to
Automatic startup, but were not currently running. The  service
needed also to have been one with Local System or Administrator
rights. I found one. It was set  to  Automatic,  ran  as  Local
System but was not currently running (because the Zip Drive was
unplugged probably). The fact that it was not running  is  very
important because we need to replace the .exe file with one  of
our own. If a service can be crashed you can  get  around  this
problem. When the service is running the  file  is  locked  and
can't be changed by normal users.

The next thing to check is that the  file  permissions  of  the
..exe will allow your current user login to rename  it.  Luckily
the  install  routine  hadn't  set  any  permissions  on   this
particular .exe, and the default  permissions  gave  me  enough
rights to rename it.

So, next step, I created a dummy System  Service  program  that
could handle being stopped or started, and all it would do  was
when run, it would start a batch file. I renamed  the  original
system service .exe (so that  I  could  rename  it  back  again
afterwards and not mess anything up). I then copied  the  dummy
service into the same directory and renamed the file  to  match
the original service .exe name. What would happen  then  is  on
the next reboot my new dummy .exe would get run instead of  the
intended one.

The batch file that I would run from the dummy .exe would  have
one simple command in it:

@echo off
net user administrator password

That  sets  the  Administrator's  password to  "password".  The
computer was then rebooted. Wait for the hard drive  to  settle
when the computer comes back up again (to give our .exe  enough
time to have started). Then simply log in as Administrator with
our new password. :)

Now go back and delete the  dummy  .exe  file  and  rename  the
original one back to its correct name .  Delete  the  temporary
batch file  that  sets  the  password.  Set  your  password  to
something a little more sensible using the Control Panel.

Check the Event  logs  to  see  what  got  logged  during  your
password recovery exercise.

- Timeless
Greets to all at #hackerzlair and #outbreakzine on DalNet.

