From ADMIN to SYSTEM with love. The case of Windows 10, Server 2016 and above

This is for my mental note. If it benefits you great.

2015 is an extremely challenging year for most of us. Nerveless hitting a shell with admin privileged is not really a big deal. Problem is that on certain environment, the system have been hardened to prevent lsass.exe process making dumping or tampering seems impossible. 

For those of you who are not familiar, onprevious version of Windows we can simply use the at.exe trick combine with remote.exe (refer to Chris Gates note) to obtained SYSTEM (aka NT AUTHORITY\SYSTEM). 

Unfortunately on Windows 10. The at function is no longer available.

This prove to be inconvenience for us. On Alternative method, we can use the meterpeter getsystem command which based on 3 techniques:

You can read on my AV evasion technique. But say you are in a bit of hurry. and  spawning shell via exploits is not priority and what you really truly need is just a Damn Good Shell to ehem let say install software?  Simple just use psexec.  I wrote it about it previously to run as other user. But the current version psexec comes with a GodMode Switch.. that  damn -s switch.

To become a SYSTEM, right click run as admin for your cmd.exe. and run psexec -s -i -d CMD

And thus you are spawn with a shell with the highest integrity.

R.I.P AT and Shift 5 times.

 

Poor man Tablet Wimax Yes 4G... (Probably the first one in Malaysia)

Note: Just because i criticized YES services, doesn't mean that I hate em. . In fact their network performance would make P(2-1) looks like pea one.. But there's always room for improvement. After all real hacker  innovate , mutate, making bidaah hasanah for the greater good and fun.

After the PoC of turning your rasp pi into a fullblown Yes Zoom.  I just browse one day to see what the YTl/Yes Guys are up to.

It's great they are giving free *(with conditional surrender/subscribtion)  tablet for 99 lucky people. However those tablet doesn`t come with a built-in WIMAX features which is a sad thing. We have 3g, 4g but meany capitalistic industrialist make Wimax as a foster child ..

So my favpurite guru poisoned me with the idea , make it work with tablet.

Hardware Requiremnet
1. Samsung Galaxy Tab 10.1 P7500
2. Yes4G Dongle
3. OTG cable with External Power (5V 2A) type explain later.

1. You can us any ROM that you like but my choice would be plain stock cynogen with tun enabled and also access to libusb. This is important as gctwimax driver require user space.

2. According to OTG 1.0 specification the device  plugged in are using current between  8ma to 100mA . It couldn`t drive more power due to design/current limit (*on nexus 7 it's the kernel)  ... And unfortunely Yes4G Dongle use at least 500mA . We can verified this by going to Device Manager and check the power.

3. So yeah we need an OTG cable with extra power. a simple powerbank should be sufficient.

4. I`m using linuxonandroid to ease the development . Compiling gctwimax is straightforward once u chroot into it.. but problem occured  when you try to run the gctwimax dialer.

5. The solution that i used is a very one hell bad hack.

$bbox mount --bind /dev/bus $mount/dev/bus
$bbox mknod  $mnt/dev/net/tun c 10 200

6. You also need to run dhcpd wimax0 outside of the chroot enviroment. If nesscary dns server can be set using setprop command.. If everything goes well!! Congratulation  u r one of the luckiest bast&^d using wimax on a tablet natively.

Everything works perfectly. U can see Wifi is turned off and of course i didn`t have any sim card.

USB Device are detected correctly and Intepret correctly as a Modem instead of Mass Storage.

IP are being deligated properly.

Yeap it's working..

P/S: This is probably the first Tablet with Yes4G powered natively in Malaysia. Can someone submit it to the Malaysia book of Record (Do we still have that crap? ) Lolz.

List To DO:

1. Make this thing cleaner.

2. Using ScriptManager to automate stuff.

Using flasm for fun and not really profit.

It seems ages since i last jotted something into my blog. So here it goes,

A colleague of mine asked me to download this flash video from this particular website

http://www.virtualforge.de/vmovie/xss_lesson_1/xss_selling_platform_v1.0.html

So page info yield this particular swf files:

http://www.virtualforge.de/vmovie/xss_lesson_1/xss_selling_platform_v1.0.swf

Unfortunately it's just partial part of the movie and it's not completed.

There are two ways to retrive the incomplete part first by using a proxy the second which i found out pretty cool called flasm. which is a yum away.

Using flasm we can dissamble the swf file to see how the swf retrive the incomplete part of the movies.



So we get the list of the missing movie part (swf file). Do whatever regex filterization u familliar with and dump it onto a textfile or whatever method u like at this point. (The important part is just grab the list of the available swf files).
For me i dump it all in a text file called hugo.txt


[yondie@Reinstein hugo]$ cat hugo.txt
control.swf
enter_bob.swf
enter_alice.swf
enter_mel.swf
alice_is_attacked.swf
mel_impersonates_alice.swf

One way to download it all

[yondie@Reinstein hugo]$ for i in `cat hugo.txt`
> do
> curl http://www.virtualforge.de/vmovie/xss_lesson_1/$i > $i
> done

And yeah it`s complete