Where you at? – Privilege escalation in windows

Privilege escalation is usually a topic when discussing UNIX based systems. Due to the fact that the default setting in windows is to run as a full administrator escalating your privileges seems fairly pointless. Most exploits in windows systems occur on service accounts which generally have full control on a system, most services in UNIX based systems, on the other hand, run under dedicated accounts with limited rights.

So the questions are:

1) What are the benefits of escalating your privileges in windows?

2) How do you escalate your privileges?

What are the benefits of escalating your privileges?

When you are already running as a full administrator on your system where can you go from there? Isn’t administrator the top echelon of the rights totem pole?

While the administrator account has the highest user privileges on a system, there is one account that has slightly higher privileges, the windows system account. When running as the windows system account you are essentially running as the system.

How do you escalate your privileges?

The process is quite simple actually; you need to get the system account to run a program that you can interact with. This is where the “at” command comes into play. The “at” command schedules a task as a specific time, unlike the “schtasks” command which runs a job under the account that scheduled it, the “at” command runs it as “SYSTEM”.

Open a command prompt and type:

at 13:01 /interactive cmd

This schedules a task to open up a command prompt window at 1:01 pm and sets it to run in interactive mode. You will notice that a standard command prompt has the title of “C:WINDOWSsystem32cmd.exe”, the new command prompt window will have a title of “C:WINDOWSSystem32svchost.exe”.

When loading task manager you will notice that the “cmd.exe” process is running under the “SYSTEM” account.

From here you can end your explorer.exe process and run explorer in the escalated command prompt. This will run explorer as the system, you can confirm this using the task manager or if you have a theme that shows your username in the start menu you will notice that in place of your username, it will say “SYSTEM”.

Leave a Reply

Your email address will not be published. Required fields are marked *