So recently I was at my grandma’s and she only had access to a low-privileged account, as my uncle had configured the system and set a password on the admin account. I figured it would be a nice challenge to get my hands on his password, or get higher privileges in some other way. One thing though, I had to achieve this without rebooting the device.
Attempt #1
The task scheduler allows to run programs as SYSTEM
, but unfortunately it doesn’t work with Windows 7. Furthermore, when attempting to run at <time> /interactive cmd.exe</time>
or just at
I was getting an Access denied.
Then I read something about creating a service that would run cmd.exe
but I still have to little knowledge about services, so I didn’t try it.
Attempt #2
There is a registry called SAM (Security Account Manager), which holds all the password hashes. And thanks to Wikipedia we know it is in %SystemRoot%/system32/config/SAM
and that it is inaccessible when Windows is running. However it is also in registry under HKLM/SAM
. So a quick jump to RegEdit and … Access denied.
I remembered one more thing: passwords are kept in plain text in LSA memory, which lead to the next attempt.
Attempt #3 - mimikatz
So there’s this great tool called mimikatz by Benjamin DELPY gentilkiwi
. It’s available on github. One of it’s modules allows to infiltrate the protected memory of the lsass.exe
process. I was hoping to be done soon. And then came the problem: Avast Antivirus. Yeah, I wasn’t even able to download mimikatz. Hopefully it’s possible with powershell: PS> (new-object System.Net.WebClient).DownloadFile( $url, $path )
. But I downloaded a .zip file. And during extraction Avast was searching for viruses. And even when I isolated the file, Avast performed a scan at first run. I think it actually could be bypassed by having a clean program, anything, running it, having Avast check it and add it’s path to clean files, then renaming mimikatz.exe to this clean file, and then running it. I didn’t check that last part, I was too tired, but I’ll make sure to do it next time and see what can I get.