Help me break XP locked down image

[DuckmanX]

Hello all,

I am at work and recently recieved a window XP PRO base locked down image. We are currently doing some testing on it and I have been asked to break it. I am trying to find a way into some secured area's of windows under locked down "restricted user" profile.

Any suggestions or lil tricks?

Things that are secured...
Delete rights, view rights of all folders outside of their profile
Installation rights
Control panel rights\tcpip\iexplorer\regedit...

Any XP cmd line stuffs would be great.


Thanks,
DuckmanX


PS: I'll be done evaluating this image on on 11/27/04 thx.

 

[LiLithTecH]

Some CONTROL PANEL command lines:

Control desktop - Launches the Desktop Control Panel subprogram
Control color - Launches the Desktop Control Panel subprogram, with the Appearance tab preselected
Control date/time - Launches the Date/Time Control Panel program
Control international - Launches the Regional Settings Control Panel subprogram
Control mouse - Launches the Mouse Control Panel subprogram
Control keyboard - Launches the Keyboard Control Panel subprogram
Control printers - Displays the Printers folder
Control fonts - Displays the Fonts folder
Control folders - Launches the Folder Settings Control Panel subprogram
Control netware - Launches the Novell NetWare Control Panel subprogram (if installed)
Control telephony - Launches the Phone and Modem Options Control Panel subprogram
Control admintools - Displays the Administrative Tools folder
Control schedtasks - Displays the Scheduled Tasks folder
Control netconnections -Displays the Network and Dial-up Connections folder
Control infrared - Launches the Infrared Control Panel subprogram (if installed)
Control userpasswords - Launches the Users and Passwords Control Panel subprogram

 

[DuckmanX]

Thanks for the quick response. Tried and a Restrictions box popped up.

"This operation has been cancelled due to restrictions in effect by this computer. Please contact your system administrator."

Anyother challengers?

 

[mechBgon]

What is the goal exactly? To render it inoperable, or to subvert its security arrangements? Will it be a member of a domain?

 

[Aluf]

The goal sets the rules indeed - whether you 1) try to mimick behaviour of a careless "restricted rights" user to see how long Windows will hold before it crashes; or 2) there are no rules/restrictions applied and your ultimate goal is circumvent the security measures put in place to get full control over the system. The second one is quite simple if you have physical access to machine - boot another (linux) system to steal/destroy SAM and get Admin access to the machine or hook the harddisk on another machine as Admin and open whatever you want.

BTW Regedit usage is locked down in Registry , to circumvent this nuisance I once took Regedit.exe opened it in hex editor (Winhex) found all strings "Regedit" changed them to "Degedit" named and saved it as DEgedit.exe and had no problems searching the Registry (all security restrictions of a user apply nevertheless).

Another thought would be to look for unpatched Windows/other programs with known vulnerabilities on it. Methods are numerous but again depends on rules of engagement.

 

[DuckmanX]

Sorry, I guess I wasn't speicific enough...

The goal is to bypass some security measures so you can change local settings or increase ones own rights. I am trying not to use vulnerablilites or any hacking externally. This is so the Joe Blow user can not muck around with our settings or install any junk. I would love to find a way to either increase the restricted user into an admin, or enable the install shield. EDIT: This must be done within the XP operating system or possibly in safe mode w/ networking (we have a server they have to log onto, there isnt a chance of logging on to computer otherwise).


Aluf, I will try changing the registry values with a hex editior.

Thanks All.

DuckmanX

 

[Aluf]

Aluf, I will try changing the registry values with a hex editior

Oops,
I in turn didn't say that I was refering to the case when Administrator by using the following tweak in Registry disabled running Regedit.exe :
User Key: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
System]
Value Name: DisableRegistryTools
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = allow regedit, 1 = disable regedit)

.. and then my method of eliminating the string "Regedit" from regedit.exe (regedit.exe is a program not demanding installation for viewing and editing Registry) would apply (add on - I don't recall which version of Regedit.exe I used - the one of XP or from Windows Me but it doesn't matter).
more of registry http://www.winguides.com/registry/

not to use vulnerablilites or any hacking externally

I hope it's the case but iif your users can create files on local hard disk and can run programs by double clicking them (through Registry Admin can as well list ONLY progs that user can run by name, but again change cracker.exe to Notepad.exe and it fails) then I'm afraid they could find some "hacking external utility" from Web and activate it against the system frequently thinking they use some useful freeware (Oh look! what a cute calender/pics viewer/game/etc I found on the Net and it doesn't need installation! ) . The good news is if OS is patched and secured through standard practices by Admin those possible malware won't do much (but for testing maybe worth a look).

In my view - to elevate privileges only by playing with built-in tools in patched and locked OS with AntiVirus for non-professional hacker/programmer is near impossible.

 

[cessna152]

How far can you go?

The use of a bootable cd such as BartPE can be used to circumvent lots of stuff if you know what you're doing.

Here are a few links:
http://www.sala.pri.ee/#pass
http://www.911cd.net/forums/

 

[spyordie007]

Originally posted by: cessna152
How far can you go?

The use of a bootable cd such as BartPE can be used to circumvent lots of stuff if you know what you're doing.

Here are a few links:
http://www.sala.pri.ee/#pass
http://www.911cd.net/forums/

A couple of suggestions to help mitigate this potential issues:
1. Set a strong bios password and set it to only boot off the local hard drive (so they cant boot from CD).
2. Put a lock on the case to make it harder for them to muddle with the hardware.

As was stated if they have restricted user privilages and the software is up to date it's going to be very hard for them to do much to it inside of windows. About the only reasonable hope they would have of privilage elevation would be for them to boot the machine and than do a password reset (or crack) a local administrative account, if you do the things I've listed above and make sure to use a strong local admin password they'll probably give up right there.

If you have futher issues such as people running applications you dont want them to (not doing harm to the machine but running un-approved stuff) than lock the machines down further using a GPO specifying only the applictions you want them to have the abilities to run.

-Erik

 

[DuckmanX]

Cessna152,

Sorry, just trying to break into it without the use of any bootable media...

thx
DuckmanX

PS: may be a while till I can try this stuff out... I may have the norwak virus.

 

[Woodie]

Try Start - Help...launch Explorer from the links
same way, try clicking on the links to the Control Panel (like in troubleshooting)
Start - Run ...cmd, command, explorer, any other programs you want to (searching for "missed" exclusions)