[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+1kKf6Z2rmd_8EDPyDOcL=nps-1pV3p5rc+OrtCwbGYVyrtYg@mail.gmail.com>
Date: Mon, 8 Jul 2013 20:47:31 +0100
From: some one <s3cret.squirell@...il.com>
To: Fabien DUCHENE <f.duchene@...-online.fr>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Abusing Windows 7 Recovery Process
Errrr
The user wasn't there never mind him being admin...
I'll test this out again when i next do a win7 review on a job
On 8 Jul 2013 11:39, "Fabien DUCHENE" <f.duchene@...-online.fr> wrote:
> There may be an Active Directory domain policy which only allows a
> configured set of groups/users to be admin of your workstation.
> Keep in mind domain policies are applied at startup and periodically.
>
> > Message: 1
> > Date: Mon, 1 Jul 2013 15:16:45 +0100
> > From: some one <s3cret.squirell@...il.com>
> > To: full-disclosure@...ts.grok.org.uk
> > Subject: Re: [Full-disclosure] Abusing Windows 7 Recovery Process
> > Message-ID:
> > <CA+1kKf460FE0uo7ps780N3f=gFh8G=
> i0+o1yR5w1uPocZUbVwg@...l.gmail.com>
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > I tried this out onsite today. Got the cmd.exe as described and added a
> > user into local admin group... Restart the box try and login as new user
> > and it isn't there...
> >
> > Logged in as a legit admin and ran net users and no mention of my created
> > account... Weird...
> > On Jun 30, 2013 10:54 AM, "Cool Hand Luke" <
> coolhandluke@...lhandluke.org>
> > wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA512
> >>
> >> On 06/29, Grandma Eubanks wrote:
> >> > However, I think this is still interesting. It's been a while since
> I've
> >> > played with Windows boxes and won't have access to one for a couple
> days,
> >> > but isn't this triggering off of vendor supplied recovery partitions?
> >> This
> >> > is a regular Windows 7 sole partition box you tried this one?
> >>
> >> from a first look, i don't think a vendor-supplied recovery partition is
> >> necessary. it appears that it would also be possible if the "system
> >> restore" setting was enabled (but don't quote me on that).
> >>
> >> i'm not sure how likely that is in your average large, corporate
> >> environment. the ones i've seen have system restore disabled and opt to
> >> reimage systems instead when issues occur. i'm sure there are some
> >> environments where this could be useful, however.
> >>
> >> - -chl
> >>
> >> - --
> >> cool hand luke
> >>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists