Sticky keys privilege escalation on windows XP

The purpose of a privilege escalation attack is to gain more privileges over an operating system. An example can be gaining administrator privileges from a restricted account on windows XP system which is what we are going to do today.

How does this attack work ?

This attack is a fairly simple one. The way it works is by replacing the ‘sethc.exe’ with the ‘cmd.exe’ file which are both located in the system32 folder, ‘sethc.exe’ is the application that runs when you press shift five times. Then all you have to do is press shift five times in the login screen and instead of the sticky keys dialog you will get a command prompt with administrative privileges.

Example

In this example we have windows XP machine that has two accounts, a password protected administrator account(admin) and a unprotected restricted account(user01).

Because we can’t change the files from within windows we must boot a live CD and do the change. If something like that isn’t possible because of e.g locked BIOS then someone could use social engineering to gain access for a limited time to a administrator account. For this tutorial i will be using a Linux mint live CD because that is what i have available right now, you can use any distro you like and you are comfortable with. First you must locate and navigate to the system32 folder

To do that use the cd command to change directory and the ls command to display the files and directories. If you want to restore everything as it was afterwards keep a backup copy of ‘sethc.exe’ with the following command.

cp sethc.exe sethc.exe.bak

And after you are done with the exploit you can restore it with the following command

cp sethc.exe.bak sethc.exe


Then copy the file using the following command

cp cmd.exe sethc.exe

Finally reboot and press shift five times in the login screen and you will be presented with a command prompt with administrative privileges which you can use to change the admin password, add a secret account, install malicious software and much more. Also it would be a good idea although not necessary to return the original ‘sethc.exe’ file when finished.

Lets say we want to change the admin account password, we can do that using the following command

net user admin *

And the password has been changed, this trick is especially useful if you find yourself locked out of your system.

Leave a Reply