; window ha
Learning Center
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

window ha


Hacking Webpages The Ultimate Guide By Virtual Circuit and Psychotic Well Psychotic wrote one of the most helpful unix text files in cyberspace but with the mail that we recieved after the release of our famous 36 page Unix Bible we realised that unix isn't for everybody so we decided that we should write on another aspect of hacking..... Virtual Circuit and Psychotic is proud to release, "Hacking Webpages With a few Other Techniques." We will discuss a few various ways of hacking webpages and getting root. We are also going to interview and question other REAL hackers on the subjects. Getting the Password File Through FTP Ok well one of the easiest ways of getting superuser access is through anonymous ftp access into a webpage. First you need learn a little about the password file... root:User:d7Bdg:1n2HG2:1127:20:Superuser TomJones:p5Y(h0tiC:1229:20:Tom Jones,:/usr/people/tomjones:/bin/csh BBob:EUyd5XAAtv2dA:1129:20:Billy Bob:/usr/people/bbob:/bin/csh This is an example of a regular encrypted password file. The Superuser is the part that gives you root. That's the main part of the file. root:x:0:1:Superuser:/: ftp:x:202:102:Anonymous ftp:/u1/ftp: ftpadmin:x:203:102:ftp Administrator:/u1/ftp This is another example of a password file, only this one has one little difference, it's shadowed. Shadowed password files don't let you view or copy the actual encrypted password. This causes problems for the password cracker and dictionary maker(both explained later in the text). Below is another example of a shadowed password file: root:x:0:1:0000-Admin(0000):/:/usr/bin/csh daemon:x:1:1:0000-Admin(0000):/: bin:x:2:2:0000-Admin(0000):/usr/bin: sys:x:3:3:0000-Admin(0000):/: adm:x:4:4:0000-Admin(0000):/var/adm: lp:x:71:8:0000-lp(0000):/usr/spool/lp: smtp:x:0:0:mail daemon user:/: uucp:x:5:5:0000-uucp(0000):/usr/lib/uucp: nuucp:x:9:9:0000-uucp(0000):/var/spool/uucppublic:/usr/lib/uucp/uucico listen:x:37:4:Network Admin:/usr/net/nls: nobody:x:60001:60001:uid no body

More Info
  • pg 1
									Haking "admin" from "user" mode n more

WELCOME TO www.hackingarticles.tk
one stop compilation for Ethical Hacking

Click here for HOME page

really that is possible !
Refer to the other articles on this wiki for the same topic
as windows seems to have fixed this bug..
still u can browse for educational purpose

u know why is it a "user" account because it lacks come service layer
than that in "administrator" account

Using simple command line tools on a machine running Windows XP we will
obtain system level privileges, and run the entire explorer process
(Desktop), and all processes that run from it have system privileges. The
system run level is higher than administrator, and has full control of
the operating system and it’s kernel. On many machines this can be
exploited even with the guest account. At the time I’m publishing this, I
have been unable to find any other mention of people running an entire
desktop as system, although I have seen some articles regarding the
SYSTEM command prompt.

Local privilege escalation is useful on any system that a hacker may
compromise; the system account allows for several other things that
aren’t normally possible (like resetting the administrator password).

The Local System account is used by the Windows OS to control various
aspects of the system (kernel, services, etc); the account shows up as
SYSTEM in the Task Manager

Local System differs from an Administrator account in that it has full
control of the operating system, similar to root on a *nix machine. Most
System processes are required by the operating system, and cannot be
closed, even by an Administrator account; attempting to close them will
result in a error message. The following quote from Wikipedia explains
this in a easy to understand way:

You can trick the system into running a program, script, or batch file
with system level privileges.

One sample

One trick is to use a vulnerability in Windows long filename support.
Try placing an executable named Program.*, in the root directory of the
"Windows" drive. Then reboot. The system may run the Program.*, with
system level privileges. So long as one of the applications in the
"Program Files" directory is a startup app. The call to "Program Files",
will be intercepted by Program.*.
Microsoft eventually caught on to that trick. Now days, more and more, of
the startup applications are being coded to use limited privileges.


In Windows NT and later systems derived from it (Windows 2000, Windows
XP, Windows Server 2003 and Windows Vista), there may or may not be a
superuser. By default, there is a superuser named Administrator, although
it is not an exact analogue of the Unix root superuser account.
Administrator does not have all the privileges of root because some
superuser privileges are assigned to the Local System account in Windows

Under normal circumstances, a user cannot run code as System, only the
operating system itself has this ability, but by using the command line,
we will trick Windows into running our desktop as System, along with all
applications that are started from within.
Getting SYSTEM
I will now walk you through the process of obtaining SYSTEM privileges.
To start, lets open up a command prompt (Start > Run > cmd > [ENTER]).
At the prompt, enter the following command, then press [ENTER]:


If it responds with an “access denied” error, then we are out of luck,
and you’ll have to try another method of privilege escalation; if it
responds with “There are no entries in the list” (or sometimes with
multiple entries already in the list) then we are good. Access to the at
command varies, on some installations of Windows, even the Guest account
can access it, on others it’s limited to Administrator accounts. If you
can use the at command, enter the following commands, then press [ENTER]:

at 15:25 /interactive “cmd.exe”

Lets break down the preceding code. The “at” told the machine to run the
at command, everything after that are the operators for the command, the
important thing here, is to change the time (24 hour format) to one
minute after the time currently set on your computers clock, for example:
If your computer’s clock says it’s 4:30pm, convert this to 24 hour format
(16:30) then use 16:31 as the time in the command. If you issue the at
command again with no operators, then you should see something similar to

When the system clock reaches the time you set, then a new command prompt
will magically run. The difference is that this one is running with
system privileges (because it was started by the task scheduler service,
which runs under the Local System account). It should look like this:
You’ll notice that the title bar has changed from cmd.exe to svchost.exe
(which is short for Service Host). Now that we have our system command
prompt, you may close the old one. Run Task Manager by either pressing
CTRL+ALT+DELETE or typing taskmgr at the command prompt. In task manager,
go to the processes tab, and kill explorer.exe; your desktop and all open
folders should disappear, but the system command prompt should still be
At the system command prompt, enter in the following:


A desktop will come back up, but what this? It isn’t your desktop. Go to
the start menu and look at the user name, it should say “SYSTEM”. Also
open up task manager again, and you’ll notice that explorer.exe is now
running as SYSTEM. The easiest way to get back into your own desktop, is
to log out and then log back in. The following 2 screenshots show my
results (click to zoom):

System user name on start menu

explorer.exe running under SYSTEM

What to do now
Now that we have SYSTEM access, everything that we run from our explorer
process will have it too, browsers, games, etc. You also have the ability
to reset the administrators password, and kill other processes owned by
SYSTEM. You can do anything on the machine, the equivalent of root; You
are now God of the Windows machine. I’ll leave the rest up to your


When you install Windows XP an Administrator Account is created (you are
asked to supply an administrator password), but the "Welcome Screen" does
not give you the option to log on as Administrator unless you boot up in
Safe Mode.
First you must ensure that the Administrator Account is enabled:
1 open Control Panel
2 open Administrative Tools
3 open Local Security Policy
4 expand Local Policies
5 click on Security Options
6 ensure that Accounts: Administrator account status is enabled Then
follow the instructions from the "Win2000 Logon Screen Tweak" ie.
1 open Control Panel
2 open User Accounts
3 click Change the way users log on or log off
4 untick Use the Welcome Screen
5 click Apply Options
You will now be able to log on to Windows XP as Administrator in Normal


Start the Registry Editor Go to:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \
Winlogon \ SpecialAccounts \ UserList \
Right-click an empty space in the right pane and select New > DWORD Value
Name the new value Administrator. Double-click this new value, and enter
1 as it's Value data. Close the registry editor and restart.

To top