From Domain User to Domain Admin in a few easy steps
October 17, 2008
The company I work for right now sucks, their IT people completely ignore glaring problems – I always thought IT people were naturally fairly proactive but no – something about people in Florida seems to make people very lazy.
From domain user to domain admin – how I did it – just for fun.
I looked in c:\windows\system32\ccm\logs to find out where the SMS server was.
I browsed to the server and looked in the smspkgd$ folder to see if there was anything interesting there.
I found a package named ChangeWKSPassword.vbs – guess what it does… – yep, it’s a plain text vbs script to change the local workstation admin password, including, of course, the password in plain text.
So now I have local admin rights on every PC in the company.
Next I used csvde to export all the user account AD information to get a list of all the domain admins which also, conveniently, contains their PC names.
I connect to the c$ share on one of the domain admin’s machines and add a script to his windows startup folder which adds me to the domain admins group.
I then wait for the next time that user logs off and on.
I’m a domain admin.
OK – I didn’t go quite as far as putting the script on the other admin’s machine but I easily could. The people here strike me as the kind that instead of saying “thanks for finding a huge gaping security hole” would actually say “you’re fired for hacking” – I’m only contracting here, I’ll tell them when I leave.
1. Don’t store any passwords in plain text anywhere.
2. NEVER allow anyone to log on as a domain admin – that’s what runas is for (over 30 of the IT people here log on as domain admins).