In this example we obtained local admin on the box, but wanted domain admin instead. Craig quickly spotted that a scheduled task runs as domain admin (ntbackup). We hoped to simply change the backup params to give us a shell but this was hopeless, and if you try replacing the the ntbackup executable with a simple cmd.exe windows file protection stops us. The simple solution was to let the scheduled task run, debug the process and insert our cmd process in its memory space. (if your attacker already has local admin.. you have issues..) This video shows the attack under the debugger.. (post 2 probably does more of the explaining)

After getting the problem resolved through the debugger, we simply wrote a tiny .exe to patch the process in memory and do the same. (The observant amongst you will notice i make reference to the imaginary method createremoteprocess instead of of CreateRemoteThread - the mistake was caught early but my video editing skills are second only to my MS Office skills, so i suspect i will end up living with the error for a bit ;> )

A short demonstration of the RealVNC 4.1.1 remote authentication bypass reported by Steve Wiseman.

Sometimes the quick-n-dirty hack is all that's needed to obtain glory. Case in point: instead of trying to reverse a thick-app protocol, we scripted a brute-forcer using the application and some VBS glue.

In this video, we demonstrate the dangers when desktop utilities that run with elevated privileges are accessible to ordinary users.