Root Priviledge Escalation in Windows

I have just uncovered a way to perform root priviledge escalation under Windows (tested using Server 2003 SP2)…so easy, with no addons or anything – all you need is a console.

  1. Open up a command prompt (cmd.exe)
  2. Type whoami. This should return your username – lowly peon user.
  3. In the command prompt, enter the following: at <current time + 1 min> /interactive “cmd.exe”
    The point of this step is to set up a scheduled task to execute in one minute of the current time. This scheduled task will launch a command prompt under the credentials of Local System.
    For example: at 11:05 /interactive “cmd.exe” will launch the cmd window at 11:05am.
  4. Type whoami into the new cmd window…..Voila!

Once escalated, you can use taskmgr to kill explorer and then re-run it from the new command prompt with the escalated priviledge.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>