Gain admin access on windows system using your guest account

Hello All,

Ever thought of how to get into your friend’s system and see the access denied files and folders? Or ever wanted to hack into someone’s admin account? Well here is a method which exploits yet another windows bug.

  1. Have you ever noticed that if you press your system’s SHIFT key >= 5 times continuously a pop up windows occurs with the name “Sticky Keys”? If it doesn’t pop up on your comp, then may be your shortcut is turned off. For enabling it, goto Control
    Panel -> Accessibility Options
    . In the accessibility options under the
    keyboard tab, in sticky keys , click on settings and enable the
    shortcut for sticky keys. And u can do this even with a guest account.
  2. Finally if the following 2 requirements are setup on your system, then you are all set to enter into your admin’s account.
  • On Pressing SHIFT >= 5 times, a pop up should appear.
  • The windows System32 directory should be writable.

Concept:
When u press, the SHIFT key >= 5 times, a file with the name “sethc.exe” is
executed.  You can verify this in TASK manager (don’t close the pop up
window). This file is located in C:WINDOWSsystem32 folder, or
where ever your windows is installed.

The Vulnerability

  1. When SHIFT key is pressed >=5 times, windows executes a file named
    “sethc.exe” located in system32 folder. It doesn’t even check if its the
    same file. Also it runs with the privilege of the CURRENT USER
    which is executing the file i.e if u have logged on as a guest then in
    the TASK manager under processes, it shows your user name as guest.
  2. The file executes even if u log off, and have the windows login screen is
    showed up, BUT THIS TIME SINCE NO USER HAS LOGGED IN IT RUNS WITH
    SYSTEM PRIVILEGE.

Exploitation
If u understand this much, then the exploitation is very simple for you. What we will do is that,
we pick cmd.exe , copy it at a folder other than system32, (because windows
won’t allow u to copy) rename it to sethc.exe, go to system32 folder,
and paste it. Windows will ask, “that another file exists, do u want to
replace?” and after pressing OK, you have replaced the sethc.exe with ur own
cmd.exe. Now if u press SHIFT key >=5 times, a command prompt will
pop-up.


Finally

  1. Now log-off or restart. When you reach the windows
    login screen, press the shift key >=5 times. A command prompt will
    pop up with SYSTEM privilege.
  2. Enter the normal commands as follows:
  3. net user username /add
  4. net user localgroup administrators username /add
  5. And a new user called username with admin privilege will be added.

And thats it, you have admin privilege of the system and you can do what ever you want to with it.

Hiding your fake admin profile
Now you surely don’t want the real admin to track you. Here is what you will have to do to hide yourself from login screens as well as from control panel

  1. Goto registry editor and open this place.
  2. [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList]
  3. Here create a new DWORD value, write its name as the “user name” that u created for your admin account.

Thats it now you are invisible but still admin of the system. Live as admin forever and keep screwing the real admin forever.



Last but not the least (IMPORTANT)
Windows has two type of login screens:

  1. Where the accounts are listed with some pictures.
  2. Where u have to write username and password.

After making the hidden account u will have to login through the 2nd step only. If ur login screen is of Type 1, press ALT-CTRL-DEL twice to get the 2nd type screen.

Thats it!!!

NOTE:
This is a sureshot way to gain admin, if u r a lamer or a newbie
then please do some googling.
I have written almost every detail.

Thanks for reading this far 🙂 Make a comment if you liked this one.

Thanks for digging and shouting it out to your friends.

Windows Text to Speech Convertor: Try at Home

Ever wondered about one great thing in windows which can amaze you? Well here is one for you 🙂

Try to do the following steps, and you will see a perfect example of text to speech convertor:

  1. Open notepad and put the following code into it:
    Dim msg, sapi
    msg=InputBox("Enter your text","Talk it")
    Set sapi=CreateObject("sapi.spvoice")
    sapi.Speak msg
  2. Save the file as “text2speech.vbs” , remember its not .txt but .vbs. Make sure you do not save it as text2speech.vbs.txt
  3. Double click the file and a box will appear. It will ask you for some text.
  4. Enter any text you want to test. For instance enter your name.
  5. Hit enter and thats it. You just saw a perfect example of text to speech convertor.

Enjoy.

3 Cheers for Bill Gates
Note: Tested only on Win XP, I haven’t tested this on Vista yet.

Digg it and share with friends if you liked this post.
Thanks