Go Back   OC3D Forums > [OC3D] Hardware & Software > Software Section
Reply
 
Thread Tools Display Modes
 
  #1  
Old 05-11-17, 06:29 AM
blair blair is offline
OC3D Crew
 
Join Date: Apr 2011
Location: Swindon
Posts: 953
User somehow managed to get admin rights

Hello wondering if you guys can help me. I'm in charge of about 30 pcs at work and they have windows 10 running each pc has an admin account and a standard account, only I have the admin password.

Yet somehow a user managed to change the standard account to admin whilst having no access to control panel or settings they can't even change the wallpaper. I'm at a loss how they managed it as they can't run CMD as admin or access group policy or registry so no idea how they changed the account any ideas?

Thanks

Reply With Quote
  #2  
Old 05-11-17, 02:09 PM
RobM's Avatar
RobM RobM is offline
OC3D Elite
 
Join Date: May 2016
Location: Durham
Posts: 1,327
have used the admin account that come with windows?
It is possible to do this by booting into safe mode
__________________
ASUS Prime x370 Pro | Ryzen 5 1600 | Antec 240 AIO | Corsair Vengance RGB 3000 2 x 8Gb | Asus Strix RX 470 | Samsung Evo 120gb ssd | Seagate Baracuda 1tb storage | EVGA 500w | Phanteks Entho ProM Acrylic Window | Windows 10 and Linux Manjaro
Reply With Quote
  #3  
Old 05-11-17, 03:54 PM
blair blair is offline
OC3D Crew
 
Join Date: Apr 2011
Location: Swindon
Posts: 953
The local admin account is disabled.


I even disabled access to CMD and powershell yet they still managed to make themselves admin even though they still cannot open either of these.

Is there some flaw in Windows.
Reply With Quote
  #4  
Old 05-11-17, 04:10 PM
Dark NighT's Avatar
Dark NighT Dark NighT is offline
OC3D Elite
 
Join Date: Jan 2011
Location: The Netherlands
Posts: 1,669
What about usb sticks and having software on it to circumvent the security?
Reply With Quote
  #5  
Old 05-11-17, 04:45 PM
hmmblah's Avatar
hmmblah hmmblah is offline
Moderator
 
Join Date: Jul 2010
Posts: 4,475
Are they on a domain or are they all standalone?

Edit: is it possible someone used a utility like this: https://pogostick.net/~pnh/ntpasswd/ like Dark NighT mentioned?
__________________
CaseLabs Mercury S3 | i7 4790k | Maximus VII Impact | GTX1080 | 16GB DDR3 | 512GB NVMe
Acer Predator Z35P | Corsair K70 LUX RGB Cherry MX Brown | Corsair Scimitar Black MMO Gaming Mouse


Reply With Quote
  #6  
Old 05-11-17, 06:38 PM
blair blair is offline
OC3D Crew
 
Join Date: Apr 2011
Location: Swindon
Posts: 953
Right well found out how they did it though not 100% on all but they replaced sethc.exe with cmd.exe then at the lock screen if you hit shift 5 times it opens a command prompt with admin rights then they ran (net localgroup administrators "accountname" /add) this made them admin.

However after undoing their cmd and sethc switch I tried to replicate from beginning and couldn't copy cmd as sethc even with command prompt it said access denied trying to copy manually asks for admin password.

The only way I can get to work is by using a installation disk and running command from that and copying cmd as sethc, but they did not boot from any disc or USB when they did it. Wondering if I accidently left them as admin then they planted the exploit and then could carry it out without needing access to system32 folder.
__________________
My Rig:
I7-6850K - 4x8GB 3000Mhz Corsair Vengance - 2x8GB Asus Strix GTX1080 - Asus Rampage V Edition 10 X99 - 500GB Samsung Pro 950 SSD + 500GB SSD + 3TB HDD - 1000W Corsair Power Supply
Laptop:
Surface Book I5-6300U 3Ghz - 8GB Ram - 256GB NVME SSD - GT940m GDDR5
Reply With Quote
  #7  
Old 06-11-17, 05:40 AM
Surfie's Avatar
Surfie Surfie is offline
OC3D Crew
 
Join Date: Dec 2012
Location: Australia
Posts: 560
Quote:
Originally Posted by blair View Post
Right well found out how they did it though not 100% on all but they replaced sethc.exe with cmd.exe then at the lock screen if you hit shift 5 times it opens a command prompt with admin rights then they ran (net localgroup administrators "accountname" /add) this made them admin.

However after undoing their cmd and sethc switch I tried to replicate from beginning and couldn't copy cmd as sethc even with command prompt it said access denied trying to copy manually asks for admin password.

The only way I can get to work is by using a installation disk and running command from that and copying cmd as sethc, but they did not boot from any disc or USB when they did it. Wondering if I accidently left them as admin then they planted the exploit and then could carry it out without needing access to system32 folder.
Perhaps they used a rename instead of a copy? Or made a shortcut that was simply named sethc?
__________________
What we've got here is; failure to communicate...
Reply With Quote
  #8  
Old 06-11-17, 06:52 AM
NeverBackDown NeverBackDown is offline
AMD Enthusiast
 
Join Date: Dec 2012
Location: With the Asguardians of the Galaxy
Posts: 16,095
Sounds like you need to put in more secure stuff and have a meeting telling people to stop trying to get around the network.
__________________
I am Iron Man.
Reply With Quote
  #9  
Old 06-11-17, 08:01 AM
Kaapstad's Avatar
Kaapstad Kaapstad is offline
OC3D Elite
 
Join Date: Jul 2013
Location: Skaro visiting family
Posts: 1,985
Quote:
Originally Posted by blair View Post
Right well found out how they did it though not 100% on all but they replaced sethc.exe with cmd.exe then at the lock screen if you hit shift 5 times it opens a command prompt with admin rights then they ran (net localgroup administrators "accountname" /add) this made them admin.

However after undoing their cmd and sethc switch I tried to replicate from beginning and couldn't copy cmd as sethc even with command prompt it said access denied trying to copy manually asks for admin password.

The only way I can get to work is by using a installation disk and running command from that and copying cmd as sethc, but they did not boot from any disc or USB when they did it. Wondering if I accidently left them as admin then they planted the exploit and then could carry it out without needing access to system32 folder.
Does your company have an IT policy that staff should follow.

If you know who it is you really should be showing them the door.
__________________
OC3D Overclockers Club Member
#041

GTX 960 owner and proud of it.
Reply With Quote
  #10  
Old 06-11-17, 12:35 PM
hmmblah's Avatar
hmmblah hmmblah is offline
Moderator
 
Join Date: Jul 2010
Posts: 4,475
Quote:
Originally Posted by Kaapstad View Post
Does your company have an IT policy that staff should follow.

If you know who it is you really should be showing them the door.
Yeah, that employee should be fired. They went well out of their way to exploit the system. Who knows what else they are doing.

When I started my current job I found some keyloggers installed on a few machines. Everyone had local admin access before I started so they could install what they wanted. First thing I did was remove those accounts. Anyway, the person who installed them was spying on female employees, getting their passwords for personal accounts etc. Because it was a shared environment we had no way to prove who did it. We had an idea and the keylogger installations all matched the person's schedule, but we couldn't prove it 100%.

I released a letter to the employees that basically said change all your personal account info and cancel your credit cards because someone had installed keyloggers. It caused a panic and eventually the person who did it came forward. The authorities ended up taking his personal computers from his home and found some inappropriate images of children on them. Needless to say he was fired and ended up serving some jail time.
__________________
CaseLabs Mercury S3 | i7 4790k | Maximus VII Impact | GTX1080 | 16GB DDR3 | 512GB NVMe
Acer Predator Z35P | Corsair K70 LUX RGB Cherry MX Brown | Corsair Scimitar Black MMO Gaming Mouse


Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump










All times are GMT. The time now is 01:30 PM.
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.